[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"? [SEC=PERSONAL]
Antti.Roppola at daff.gov.au
Wed Mar 24 22:46:44 MDT 2010
> "They found turnkey surveillance products, marketed and sold to law
> enforcement and intelligence agencies in the US and foreign countries,
> designed to collect encrypted SSL traffic based on forged "look-alike"
> certificates obtained from cooperative certificate authorities.
No real surprise here. Someone that paranoid isn't going to trust a 3rd
party CA anyway.
However I'm not surprised that there are incorrect generalisations about
exactly what sort of trust a purchsed certificate means. A CA is a 3rd
party in a trust relationship who is mutually trusted because they are
external & impartial. As soon as they are "inside" the relationship
bubble they become a stakeholder like everyone else. Viz, all three
parties (Alice, Bob and the CA) answer to the same higher powers.
IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain sensitive and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on.
Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF
More information about the linux