[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"? [SEC=PERSONAL]

Peter Barker pbarker at barker.dropbear.id.au
Wed Mar 24 23:33:22 MDT 2010

On Thu, 25 Mar 2010, Roppola, Antti wrote:

> No real surprise here. Someone that paranoid isn't going to trust a 3rd
> party CA anyway.

Well, if we're going to have parties - maybe we should invite a few more 
people along?

I recollect seeing some stuff (e.g. 
http://www.springerlink.com/content/y0563l2g69477j42/) on asking various 
other servers around the planet whether they saw the same thing as you 
were seeing as a hedge against MitM attacks.  You'd think it would be 
pretty straight forward in this case....  browser plugin, anyone?

One thing would be *very* interesting - what if the identity of the 
"leaked" CA-cert came to light?  Would Mozilla turf it from its 
collection?  Would Debian?  Would Microsoft?  Would the Australian 
Government mandate the removal of that certificate from government 

> However I'm not surprised that there are incorrect generalisations about
> exactly what sort of trust a purchsed certificate means. A CA is a 3rd
> party in a trust relationship who is mutually trusted because they are
> external & impartial. As soon as they are "inside" the relationship

"Someone I don't know (merchant) has given money to someone *else* I don't 
know (CA), who is apparently trusted by *another* set of people I don't 
know (browser developers)... so I can trust them, right?"

> Antti

Peter Barker                          |   Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au	      |   You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams

More information about the linux mailing list