[LINK] Gov’t, certificate authorities conspire to spy on SSL users?

Rick Welykochy rick at vitendo.ca
Tue Aug 13 02:31:43 AEST 2013 

Kim Holburn wrote:

> http://arstechnica.com/security/2010/03/govts-certificate-authorities-conspire-to-spy-on-ssl-users/
>
>> SSL is the cornerstone of secure Web browsing, enabling credit card and bank details to be used on the 'Net with impunity. We're all told to check for the little padlock in our address bars before handing over any sensitive information. SSL is also increasingly a feature of webmail providers, instant messaging, and other forms of online communication.
>>
>> Recent discoveries by Wired and a paper by security researchers Christopher Soghoian and Sid Stamm suggests that SSL might not be as secure as once thought. Not because SSL itself has been compromised, but because governments are conspiring with Certificate Authorities, key parts of the SSL infrastructure, to subvert the entire system to allow them to spy on anyone they wish to keep tabs on.

The man in the middle attack (MIM) has been known about and demonstrated for many years.

Given gummint's insatiable need to snoop, isn't it time that browser technology
began deploying methodologies to twhart MIM attacks?

But given the unreasonable influence the military-industrial complex has over
technologies and policies in their own favour (viz the recent discussion on
contactless payment cards), I doubt that these mitigating technologies will
ever be deployed. It is not in their interest to do so.

A web search for "mitigating man in the middle attacks" shows that there
are many proposed solutions to make it so. It also takes the will to do so.

Here is but one simple solution:

http://dl.acm.org/citation.cfm?id=1812632

"In this paper, we have proposed and implemented a novel approach to solve MITM
  over SSL which uses the genuine website URL. To tackle such attacks we propose
  hashing the user password with the public key of the server's digital certificate.
  This approach beats the MITM, since the MITM receives the hash of the original
  password which cannot be reused. We prove our concept with a browser plugin."



cheers
rickw



-- 
------------------------------------
Rick Welykochy || Vitendo Consulting

The chief source of problems is solutions.
       -- Eric Sevareid

More information about the Link mailing list