[clug] SSL Man-in-the-Middle attack - by "Law Enforcement"? [SEC=PERSONAL]

Daniel Black daniel.subs at internode.on.net
Thu Mar 25 05:51:38 MDT 2010


On Thursday 25 March 2010 16:33:22 Peter Barker wrote:

> One thing would be *very* interesting - what if the identity of the
> "leaked" CA-cert came to light?  Would Mozilla turf it from its
> collection?

altering trust bits - so same effect

http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/17be3bd7e0b33e8c/8bb284037d2ccf1f

> Would Debian?
my guess is yes.

> Would Microsoft?
guess random business decision of the day.

> Would the Australian
> Government mandate the removal of that certificate from government
> computers?
 
there would be advisories issued I'm sure - make sure I'm not a sysadmin 
anywhere there when it comes out.

> > However I'm not surprised that there are incorrect generalisations about
> > exactly what sort of trust a purchsed certificate means. A CA is a 3rd
> > party in a trust relationship who is mutually trusted because they are
> > external & impartial. As soon as they are "inside" the relationship
> 
> "Someone I don't know (merchant) has given money to someone *else* I don't
> know (CA), who is apparently trusted by *another* set of people I don't
> know (browser developers)... so I can trust them, right?"

its easier if you talk about it in terms of reliance rather than trust. You 
rely on the browser people to give you good software and give you only CAs 
that they themselves would rely on based on the CA policies and an auditor 
statement of reliance covering the policy and operations.

So unless you write/audit your own browser and CAs then I guess it is trust.

Anyone want to help out CAcert?

http://wiki.cacert.org/OverviewProjectsBoard
http://wiki.cacert.org/HelpingCAcert (slightly outdated)
or contact me off list for a more personal service

Daniel


More information about the linux mailing list