[Noisebridge-discuss] SSL MITM issues
Ryan Castellucci
ryan.castellucci at gmail.com
Sun Mar 28 05:32:17 UTC 2010
We can't really blackball them because they issue legit certs, and
they don't necessarily have a choice in the matter, though I would
like to see legal precedent that the government can compel someone to
produce false documents.
It happens that a technical solution already exists to this form of evil.
http://www.cs.cmu.edu/~perspectives/firefox.html
It does fingerprint checking from diverse sites, plus tracking of
changes to the fingerprint. Hard to tell a legit change in cert from
a forced one, but you can at least be notified that it's not at least
x days old. A forged cert can't have the same fingerprint as the
original since the CA is never in possession of the legit private key.
On Sat, Mar 27, 2010 at 7:44 PM, Sai Emrys <sai at saizai.com> wrote:
> http://files.cloudprivacy.net/ssl-mitm.pdf
> http://www.crypto.com/blog/spycerts/
>
> Should be of interest to many of you.
>
> Any chance we can find out who the "cooperative" cert authorities are
> who are handing out fake certs and blackball them?
>
> - Sai
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>
--
Ryan Castellucci http://ryanc.org/
More information about the Noisebridge-discuss
mailing list