[LINK] ssl security (lack of) paper

Roger Clarke Roger.Clarke at xamax.com.au
Sat Apr 17 19:09:59 AEST 2010


[A colleague brought this to my attention.  I'd not appreciated the 
*extent* to which SSL/TLS is capable of being compromised.]

Certified Lies: Detecting and Defeating Government Interception 
Attacks Against SSL
By Christopher Soghoian and Sid Stamm
http://cryptome.org/ssl-mitm.pdf

Abstract

This paper introduces the compelled certificate creation attack, in 
which government agencies may compel a certificate authority to issue 
false SSL certificates that can be used by intelligence agencies to 
covertly intercept and hijack individuals' secure Web-based 
communications. Although we do not have direct evidence that this 
form of active surveillance is taking place in the wild, we show how 
products already on the market are geared and marketed towards this 
kind of use-suggesting such attacks may occur in the future, if they 
are not already occurring. Finally, we introduce a lightweight 
browser add-on that detects and thwarts such attacks.

[The authors appear to be Ph.D. candidates at Indiana University.  If 
they're right, then they need to run a fine line to avoid problems!]


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list