[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?
daniel at rimspace.net
Wed Mar 24 21:31:42 MDT 2010
Arjen Lentz <arjen at lentz.com.au> writes:
> ----- "steve jenkin" <sjenkin at canb.auug.org.au> wrote:
> Not being naive, we can say "bound to happen", "predictable" - but it's very
> annoying. What SSL cert authorities actually sell is "trust by proxy".
> That is, I purchase an SSL cert from them so that my clients can trust me.
*nod* I agree with this assessment.
> I'd prefer a system that does not rely on intrinsic trust in anybody - but
> we don't have that. So now we have a problem, whereby I get pay regular or
> premium rates for an SSL cert of whatever nice fancy-stamp-for-client level,
> to potentially get screwed over anyhow.
Well, no. You get exactly what was promised: the SSL CA provides a
certificate that assures your users that you followed their criteria and paid
them the money they want.
Your certificate doesn't change after this revelation: it still provides the
same level of encryption, etc, and still provides the same level of assurance
Any change there is *entirely* in the realm of perception of security, not
> That makes me very unhappy. No trust from anyone to anyone, and I still
> have to pay for it. That's just grand.
I *very* much doubt this will make a significant difference to the perception
of security, except for a few highly skilled and trained technical people.
Heck, many of them probably *already* knew what the value of SSL was to start
with, and didn't assume that your commercial cert was worth anything more than
the paper it was printed on. ;)
Oh, and: http://www.startssl.com/
You can, at least, reduce the burdensome cost of providing an illusion of
security to the non-technical users through these folks and their least-worst
business model for a CA.
✣ Daniel Pittman ✉ daniel at rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
More information about the linux