Ministry of Privacy

EFF deep links has a story about ways governments could forge SSL certificates to defeat SSL session privacy. Certainly this is now being done by NSA:

*
“Cryptography is typically bypassed, not
penetrated.”
| Adi Shamir

GOVERNMENT EXPLOITS SSL CERTIFICATES SECURITY
FLAW? Researchers released a draft paper about an inherent
browser security flaw with evidence that governments
may be able to surreptitiously spy on users’ “secure”
communications. Most modern browsers rely on certificate
authorities (CAs) to vouch for whether a secure site
is what it claims to be. But there’s evidence that
governments are being sold tools that they can use as
part of a scheme to have CAs issue certificates for
surveillance operations, enabling the undetectable
spoofing of ceratin websites or services.

For details about the security research:
http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

The paper itself:
http://files.cloudprivacy.net/ssl-mitm.pdf

Advertisements
Ministry of Privacy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s