dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

Seattle, WA
reply to InfinityDev

Re: Simple solution

said by InfinityDev:

Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."


In the real world the ISP can trick you into installing their root cert the same way they can trick you into installing a key logger or advertising malware. This is realistically the only capability they will see.

Any covert LEA capability to sign fake certs is sure as hell not going to be pissed away in pursuit of extracting a few dollars from advertising campaigns.

The days of the MD5 only signatures used previously to generate fake intermediates with PS3 clusters are over. As of a few months ago some browsers have stopped accepting them.