[32502] in North American Network Operators' Group
Re: Carnivore Update - Washington Post 11/21/00
daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri Nov 24 04:49:35 2000
Date: 24 Nov 2000 01:47:25 -0800
Message-ID: <20001124094725.14404.cpmta@c004.sfo.cp.net>
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
To: avg@kotovnik.com
From: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 23 November 2000, Vadim Antonov wrote:
> I do not think that carnivore is doing that, but SSL is not resistant to
> the man-in-the-middle attack. The problem here is in the lack of any
> useful certificate validation support. How many users actually check that
> site certificate indeed belongs to whoever is identified as the site owner
> on the Web pages?
My understanding of Carnivore is it sits as a Man-On-The-Side, not a man-in-
the-middle. Carnivore is exactly the type of evesdropping Diffie-Hillman is
supposed to protect against.
> (Plus, it depends on the security of certification autority's private
> keys, their public parts being non-revokable, because they are bundled
> with browser software. I have a little doubt that it is all too easy for
> law enforcement to obtain these keys if they need to. Interests of my
> privacy definitely do not match interests of RSA Cert. Auth., Inc, a
> commercial entity. Of course, i have no proof that this happened, but I
> have no reason to trust that it didn't happen, too.)
I was not aware that Terrorists'R'Us got their certificates from RSA. Besides
wouldn't it violate some trading with the enemy law for a reputable certificate
authority to sell certificates to known terrorists? Unless, of course, the
real targets for the survellience are someone else.
