by Mike Masnick
Thu, Mar 25th 2010 7:59pm
The idea of using man-in-the-middle attacks to spy on encrypted conversations is hardly new, but there hasn't been a really thorough discussion of the likelihood of its use against SSL connections (the encrypted connections you see in your web browser on https sites, such as online banking sites, with the little lock shown in the corner of your browser). A new paper highlights not only how this works, but also how there's a company selling the technology to governments to use. Of course, to make it work and be an effective man in the middle, you need a certificate authority to grant you a fake certificate -- but there are some fears that gov'ts could do this by force or by trickery -- and hackers could certainly do it by trickery. The Wired article above quotes people at both GoDaddy and VeriSign insisting that they've never issued fake certificates to the gov't, but it is suspicious that a company is selling a device to gov'ts to do exactly this. The real problem is in the basic implementation of SSL, which right now involves too much blind trust. Apparently, the EFF is working with some security researchers to make some suggestions on ways that this could be fixed.
If you liked this post, you may also be interested in...
- Surveillance Software Company Gamma Found To Have Violated Human Rights; Receives Unprecedented Slap On The Wrist
- We Now Know The NSA And GCHQ Have Subverted Most (All?) Of The Digital World: So Why Can't We See Any Benefits?
- In Wake Of NSA Leaks, China Drops Major US Tech Companies From Its Approved Supplier List
- Despite Lack Of Evidence It Will Help, Australia Still Planning To Bring In Data Retention, Still Not Clear If It Could Be Used Against Copyright Infringement
- Here's 140 Fully-Redacted Pages Explaining How Much Snowden's Leaks Have Harmed The Nation's Security