[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"?

Daniel Pittman daniel at rimspace.net
Wed Mar 24 21:31:42 MDT 2010

Arjen Lentz <arjen at lentz.com.au> writes:
> ----- "steve jenkin" <sjenkin at canb.auug.org.au> wrote:
>> Comments?
>> <http://www.crypto.com/blog/spycerts/>
> Not being naive, we can say "bound to happen", "predictable" - but it's very
> annoying.  What SSL cert authorities actually sell is "trust by proxy".
> That is, I purchase an SSL cert from them so that my clients can trust me.

*nod*  I agree with this assessment.

> I'd prefer a system that does not rely on intrinsic trust in anybody - but
> we don't have that.  So now we have a problem, whereby I get pay regular or
> premium rates for an SSL cert of whatever nice fancy-stamp-for-client level,
> to potentially get screwed over anyhow.

Well, no.  You get exactly what was promised: the SSL CA provides a
certificate that assures your users that you followed their criteria and paid
them the money they want.

Your certificate doesn't change after this revelation: it still provides the
same level of encryption, etc, and still provides the same level of assurance
of identity.

Any change there is *entirely* in the realm of perception of security, not
actual security.


> That makes me very unhappy.  No trust from anyone to anyone, and I still
> have to pay for it. That's just grand.

I *very* much doubt this will make a significant difference to the perception
of security, except for a few highly skilled and trained technical people.

Heck, many of them probably *already* knew what the value of SSL was to start
with, and didn't assume that your commercial cert was worth anything more than
the paper it was printed on. ;)

Oh, and: http://www.startssl.com/

You can, at least, reduce the burdensome cost of providing an illusion of
security to the non-technical users through these folks and their least-worst
business model for a CA.


✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

More information about the linux mailing list