[TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
=JeffH <Jeff.Hodges@KingsMountain.com> Wed, 24 March 2010 21:07 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DD923A6D88 for <tls@core3.amsl.com>; Wed, 24 Mar 2010 14:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.465
X-Spam-Level: *
X-Spam-Status: No, score=1.465 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UYe+u3KKKHi4 for <tls@core3.amsl.com>; Wed, 24 Mar 2010 14:07:58 -0700 (PDT)
Received: from outbound-mail-158.bluehost.com (outbound-mail-158.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 809CE3A6D76 for <tls@ietf.org>; Wed, 24 Mar 2010 14:07:45 -0700 (PDT)
Received: (qmail 20462 invoked by uid 0); 24 Mar 2010 21:08:06 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 24 Mar 2010 21:08:06 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=RVEnFYyUcNMcHDwLQiCreO52R11ASILD6Qnzdiz9HqCMJ1FeCdFfb+qKbjYkqyW9DeUKp8ws0VoeaevygiCebLmDeYL2xqlFuQPXSGB73P7hW+qJ+DR+1k+LtOnxnCm3;
Received: from dhcp-wireless-open-abg-24-206.meeting.ietf.org ([130.129.24.206]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1NuXo6-00012D-7B; Wed, 24 Mar 2010 15:08:06 -0600
Message-ID: <4BAA7F31.5050706@KingsMountain.com>
Date: Wed, 24 Mar 2010 14:08:01 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100317)
MIME-Version: 1.0
To: certid@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.24.206 authed with jeff.hodges+kingsmountain.com}
Cc: tls@ietf.org
Subject: [TLS] fyi: paper on compelled, certificate creation attack and applicable appliance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 21:07:59 -0000
Abstract This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate au- thority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web- based communications. We reveal alarming ev- idence that suggests that this attack is in ac- tive use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks. ------- Forwarded Message Date: Wed, 24 Mar 2010 15:34:27 -0400 From: Dave Farber <dave@farber.net> To: "ip" <ip@v2.listbox.com> Subject: [IP] Surveillance via bogus SSL certificates Begin forwarded message: > From: Matt Blaze <mab@crypto.com> > Date: March 24, 2010 3:09:19 PM EDT > To: Dave Farber <dave@farber.net> > Subject: Surveillance via bogus SSL certificates > > Dave, > > For IP if you'd like. > > Over a decade ago, I observed that commercial certificate > authorities protect you from anyone from whom they are unwilling to > take money. That turns out to be wrong; they don't even do that. > > Chris Soghoian and Sid Stamm published a paper today that describes > a simple "appliance"-type box, marketed to law enforcement and > intelligence agencies in the US and elsewhere, that uses bogus > certificates issued by *any* cooperative certificate authority to > act as a "man-in-the-middle" for encrypted web traffic. > > Their paper is available at http://files.cloudprivacy.net/ssl-mitm.pdf > > What I found most interesting (and surprising) is that this sort of > surveillance is widespread enough to support fairly mature, turnkey > commercial products. It carries some significant disadvantages > for law enforcement -- most particularly it can be potentially can > be detected. > > I briefly discuss the implications of this kind of surveillance at http://www .crypto.com/blog/spycerts/ > > Also, Wired has a story here: http://www.wired.com/threatlevel/2010/03/packet - -forensics/ > > > -matt > > > - ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ------- End of Forwarded Message
- Re: [TLS] fyi: paper on compelled, certificate cr… Yoav Nir
- [TLS] fyi: paper on compelled, certificate creati… =JeffH
- Re: [TLS] fyi: paper on compelled, certificate cr… Yoav Nir
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD
- Re: [TLS] [certid] fyi: paper on compelled, certi… Marsh Ray
- Re: [TLS] fyi: paper on compelled, certificate cr… Adam Langley
- Re: [TLS] [certid] fyi: paper on compelled, certi… Daniel Kahn Gillmor
- Re: [TLS] [certid] fyi: paper on compelled, certi… Ben Laurie
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD
- Re: [TLS] [certid] fyi: paper on compelled, certi… Story Henry
- Re: [TLS] [certid] fyi: paper on compelled, certi… Story Henry
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD