Law Enforcement Appliance Subverts SSL

Discussion in 'other security issues & news' started by Searching_ _ _, Mar 24, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Law Enforcement Appliance Subverts SSL
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'm thinking they've had that ability for some time now. It's a great way to bust illegal websites, and, of course, a great way to do some general spying. I'm quite sure it'll find its way into the hands of hackers, if it already hasn't (which is unlikely). Another day, another security threat. Welcome to the Internet!
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Searching

    Thanks for posting

    Powerful Solutions for

    Enterprise · Network Operator · Law Enforcement · Defense & Intelligence


    pf.gif

    http://www.packetforensics.com/govt.safe

    Wonder what SteveTX ZeroBank will make of it and similar type methods ? I'd like to know :thumb: as i'm sure so too would others.

    @dw426

    A lot more than just general spying from Searchings link :ouch:
     
  4. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    As Matt Blaze said on one of the links posted above, the whole SSL model is severely broken. Why? Because it relies on a third-party "authority" to be trust-worthy. This means we must trust them not to spoof certificates or give out fake ones to malicious people. Moreover, there are hundreds of such authorities, which makes keeping track of them almost impossible.

    In the midst of these hundreds of authorities it is theorized that at least a few of them are ran by intelligence agencies. Therein lies the problem. Encryption is only as good as the key is trustworthy. This is why I like PGP's web of trust model better -- you don't trust a key unless you have met the key owner in person.
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @mvario

    Thanks for adding to the thread, glad you did, good info etc :thumb:

    @chronomatic

    Yeah you can't trust many in "so called" authority, especially .GOV etc :(

    ***********************************************************

    Certlock

    http://paranoia.dubfire.net


    CertPatrol

    http://patrol.psyced.org https://addons.mozilla.org/en-US/firefox/addon/6415

    Installed CertPatrol

    Intercepts before Prevx SOL grabs it

    scr.gif

    The options box is greyed out and didn't work, maybe there are arn't any ?

    opt.gif

    Click OK and PSOL appears

    ps.gif

    Don't know whether this a conflict or not, or if it matters ?




    heise SSL Guardian

    http://www.h-online.com/security/features/Heise-SSL-Guardian-746213.html


    Perspectives

    http://www.cs.cmu.edu/~perspectives/firefox.html

    http://www.cs.cmu.edu/~perspectives/index.html

    Known Issues:

    http://www.cs.cmu.edu/~perspectives/firefox.html#install


    Terminology and policy in relation to subordinate CAs

    http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/9782ec0b32460edc
     
  7. Novastar 3d

    Novastar 3d Registered Member

    Joined:
    May 3, 2009
    Posts:
    62
    Well there doesn't seem to be many certificate authorities that come preinstalled in Opera, and, besides that Opera alerts to anything new. With what I use, There would be nothing infecting my browser to begin with. So whatever floats their boat I suppose.
     
  8. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I was asked by CloneRanger to discuss how XeroBank defeats MITM attacks. In this case, our certificates are pre-shared with the client inside our software, so *any* deviation from the certificate expected will send a warning to the user and prevent a connection from being created.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @SteveTX

    Well that's brilliant news :)

    Not being funny, but have you had anyone test/try a MITM attack between endpoints, and anywhere inbetween with XB ever.

    If so what were the results ?

    If not will you soon, and publish here please ?

    TIA :thumb:
     
Loading...
Thread Status:
Not open for further replies.