[145191] in cryptography@c2.net mail archive
Re: Law Enforcement Appliance Subverts SSL
daemon@ATHENA.MIT.EDU (dan@geer.org)
Thu Mar 25 11:14:02 2010
From: dan@geer.org
To: Rui Paulo <rpaulo@gmail.com>
cc: cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 24 Mar 2010 19:14:55 -0000."
<4B0F790D-5073-46F2-8CF0-70E059246765@gmail.com>
Date: Thu, 25 Mar 2010 08:58:33 -0400
Rui Paulo writes:
-+---------------
| http://www.wired.com/threatlevel/2010/03/packet-forensics/
|
| "At a recent wiretapping convention however, security researcher Chris =
| Soghoian discovered that a small company was marketing internet spying =
| boxes to the feds designed to intercept those communications, without =
| breaking the encryption, by using forged security certificates, instead =
| of the real ones that websites use to verify secure connections. To use =
| the appliance, the government would need to acquire a forged certificate =
| from any one of more than 100 trusted Certificate Authorities."
|
I rather like Cormac Herley's paper:
http://preview.tinyurl.com/yko7lhg
So Long, And No Thanks for the Externalities:
The Rational Rejection of Security Advice by Users
which I cite here for this line:
It is hard to blame users for not being interested in SSL
and certificates when (as far as we can determine) 100% of
all certificate errors seen by users are false positives.
--dan
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
