[LINK] ssl security (lack of) paper
Roger Clarke
Roger.Clarke at xamax.com.au
Sat Apr 17 19:09:59 AEST 2010
[A colleague brought this to my attention. I'd not appreciated the
*extent* to which SSL/TLS is capable of being compromised.]
Certified Lies: Detecting and Defeating Government Interception
Attacks Against SSL
By Christopher Soghoian and Sid Stamm
http://cryptome.org/ssl-mitm.pdf
Abstract
This paper introduces the compelled certificate creation attack, in
which government agencies may compel a certificate authority to issue
false SSL certificates that can be used by intelligence agencies to
covertly intercept and hijack individuals' secure Web-based
communications. Although we do not have direct evidence that this
form of active surveillance is taking place in the wild, we show how
products already on the market are geared and marketed towards this
kind of use-suggesting such attacks may occur in the future, if they
are not already occurring. Finally, we introduce a lightweight
browser add-on that detects and thwarts such attacks.
[The authors appear to be Ph.D. candidates at Indiana University. If
they're right, then they need to run a fine line to avoid problems!]
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list