Gov't, certificate authorities conspire to spy on SSL users?

lotuseclat79 · Mar 31, 2010

Gov't, certificate authorities conspire to spy on SSL users?.

Recent discoveries by Wired and a paper by security researchers Christopher Soghoian and Sid Stamm suggests that SSL might not be as secure as once thought. Not because SSL itself has been compromised, but because governments are conspiring with Certificate Authorities, key parts of the SSL infrastructure, to subvert the entire system to allow them to spy on anyone they wish to keep tabs on.
Click to expand...

-- Tom

MrBrian · Sep 8, 2010

From The Internet's Secret Back Door:

But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more than 60 separate certificate authorities by default. Microsoft's software trusts more than 100 private and government institutions.

Disturbingly, some of these trusted certificate authorities have decided to delegate their powers to yet more organizations, which aren't tracked or audited by browser companies. By scouring the Net for certificates, security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motors—and a UAE mobile phone company called Etisalat.
Click to expand...

CloneRanger · Sep 8, 2010

@ MrBrian

Good searching - March 31st

Trust nobody

Funnily enough PSOL comes pre loaded with these auto allows

chronomatic · Sep 8, 2010

The SSL system is broken. This has been covered here many times. A couple of good links for further reading:

http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl

http://www.crypto.com/blog/spycerts/

http://www.wired.com/threatlevel/2010/03/packet-forensics/

From the last article, a GoDaddy rep gives an interview and I found her words very interesting, if not confusing:

“I’ve read studies and heard speeches in academic circles that theorize that concept, but we never would issue a ‘fake’ SSL certificate,” Jones said, arguing that would violate the SSL auditing standards and put them at risk of losing their certification. “Theoretically it would work, but the thing is we get requests from law enforcement every day, and in entire time we have been doing this, we have never had a single instance where law enforcement asked us to do something inappropriate.”
Click to expand...

So, she admits they get requests from LEA's "every day" yet have never been asked to do anything inappropriate. My question is, if the LEA's aren't after their certs, then what the heck are they requesting?

CloneRanger · Sep 8, 2010

@ chronomatic

You're right to remind/enlighten us

inappropriate She/they could mean Anything ! Inappropriate to who, us or them ? You can bet it won't be them

My question is, if the LEA's aren't after their certs, then what the heck are they requesting?
Click to expand...

Exactly, the plot thickens, and we need answers.

LockBox · Sep 8, 2010

CloneRanger said:

@ chronomatic

You're right to remind/enlighten us

inappropriate She/they could mean Anything ! Inappropriate to who, us or them ? You can bet it won't be them

Exactly, the plot thickens, and we need answers.
Click to expand...

The sub-sub contracting of certificates is nuts. I've seen web hosts now giving away certificates that are self-signed. It needs a complete overhaul and fast.

Log in or Sign up

Gov't, certificate authorities conspire to spy on SSL users?

lotuseclat79 Registered Member

MrBrian Registered Member

CloneRanger Registered Member

chronomatic Registered Member

CloneRanger Registered Member

LockBox Registered Member

Log in or Sign up

Gov't, certificate authorities conspire to spy on SSL users?

lotuseclat79 Registered Member

MrBrian Registered Member

CloneRanger Registered Member

chronomatic Registered Member

CloneRanger Registered Member

LockBox Registered Member

Useful Searches