New Research Suggests That Governments May Fake SSL Certificates

I don’t know what to think about it; this was posted on another forum so I just read about it… any comment appreciated…

Iran Suspected After Comodo Partner Issues Rogue SSL Certs

That is currently being discussed in Comodo issues fraudulent Google, Microsoft, Mozilla, Skype, Yahoo certificates. Please join the discussion there.

Using Opera browser which does not allow self signed certs from governments and companies.

It’s not about self signed certificates, it’s about legitimate, trusted CA’s, issuing certificates to intelligence agencies, which allows them to use MITM attacks to intercept data transmissions.

http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html
http://www.schneier.com/blog/archives/2010/09/uae_man-in-the-.html
The Spy in the Middle
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/381acf2eca0c011f#

I don't know what to think about it; this was posted on another forum so I just read about it... any comment appreciated...

I read the paper by Soghoian and Stamm last year and it’s very interesting. It certainly made me reconsider which CAs I allow in my browser. It also made me employ the services of an additional extension for keeping track of things.

Certificate Patrol
Perspectives

It’s also worth considering how easily SSL can be broken:

Moxie Marlinspike sslstrip

Also how ineffective relying upon CRL/OCSP can be:

lower tech attack is possible and it’s why revocation does not work

I know, I was just making a side comment to what was in one of the articles.

http://www.schneier.com/blog/archives/2010/04/man-in-the-midd_2.html http://www.schneier.com/blog/archives/2010/09/uae_man-in-the-.html [url=http://www.crypto.com/blog/spycerts/]The Spy in the Middle[/url] http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/381acf2eca0c011f#

I read the paper by Soghoian and Stamm last year and it’s very interesting. It certainly made me reconsider which CAs I allow in my browser. It also made me employ the services of an additional extension for keeping track of things.

Certificate Patrol
Perspectives

It’s also worth considering how easily SSL can be broken:

Moxie Marlinspike sslstrip

Also how ineffective relying upon CRL/OCSP can be:

lower tech attack is possible and it’s why revocation does not work

I will take a look at this later.