SteveI know your IP addressConsultant
Yorba Linda, CA
reply to Matt3
Re: Simple solution
said by Matt3:I am familiar with Bruce's piece, and I'm pretty sure you missed a key piece, the part where the cert vendors were induced to issue valid certs for the URLs they wish to intercept.
Cert name mismatches are easy to overcome, you simply spoof the name of the URL with a fake cert.
said by the abstract : These are "false" certs only in the sense that they're not the ones issued by the real owners, but they will validate the same as the real ones, and there's nothing the clients can do to notice that something is awry.
This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.
I really hope that ISPs are not getting bogus certs.
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site