dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1
share rss forum feed


dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to InfinityDev

Re: Simple solution

said by InfinityDev:

Yes, if ISPs are inserted into the SSL certificate chain. Most ISPs don't do this but censored countries and many corporate networks, for example, do this. When in the certificate chain they can proxy SSL traffic silently and eavesdrop on the traffic going through the connection.

"Steve explains why and how world governments are able to legally compel their national SSL Certificate Authorities to issue Intermediate CA certificates which allow agencies of those governments to surreptitiously intercept, decrypt, and monitor secured SSL connections of any and all kinds."

»www.grc.com/sn/sn-243.htm

In the real world the ISP can trick you into installing their root cert the same way they can trick you into installing a key logger or advertising malware. This is realistically the only capability they will see.

Any covert LEA capability to sign fake certs is sure as hell not going to be pissed away in pursuit of extracting a few dollars from advertising campaigns.

The days of the MD5 only signatures used previously to generate fake intermediates with PS3 clusters are over. As of a few months ago some browsers have stopped accepting them.