said by Matt3:
Cert name mismatches are easy to overcome, you simply spoof the name of the URL with a fake cert.
I am familiar with Bruce's piece, and I'm pretty sure you missed a key piece, the part where the cert vendors were induced to issue valid
certs for the URLs they wish to intercept.
said by the abstract :
This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.
These are "false" certs only in the sense that they're not the ones issued by the real owners, but they will validate the same as the real ones, and there's nothing the clients can do to notice that something is awry.
I really hope that ISPs are not getting bogus certs.
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site