[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"? [SEC=PERSONAL]
Peter Barker
pbarker at barker.dropbear.id.au
Wed Mar 24 23:33:22 MDT 2010
On Thu, 25 Mar 2010, Roppola, Antti wrote:
> No real surprise here. Someone that paranoid isn't going to trust a 3rd
> party CA anyway.
Well, if we're going to have parties - maybe we should invite a few more
people along?
I recollect seeing some stuff (e.g.
http://www.springerlink.com/content/y0563l2g69477j42/) on asking various
other servers around the planet whether they saw the same thing as you
were seeing as a hedge against MitM attacks. You'd think it would be
pretty straight forward in this case.... browser plugin, anyone?
One thing would be *very* interesting - what if the identity of the
"leaked" CA-cert came to light? Would Mozilla turf it from its
collection? Would Debian? Would Microsoft? Would the Australian
Government mandate the removal of that certificate from government
computers?
> However I'm not surprised that there are incorrect generalisations about
> exactly what sort of trust a purchsed certificate means. A CA is a 3rd
> party in a trust relationship who is mutually trusted because they are
> external & impartial. As soon as they are "inside" the relationship
"Someone I don't know (merchant) has given money to someone *else* I don't
know (CA), who is apparently trusted by *another* set of people I don't
know (browser developers)... so I can trust them, right?"
> Antti
Yours,
--
Peter Barker | Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au | You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams
More information about the linux
mailing list