how-to block ads
Matt3All noise, no signal.Premium
reply to Steve
Re: Simple solution
said by Steve:Cert name mismatches are easy to overcome, you simply spoof the name of the URL with a fake cert. It's the chain to the intermediate and/or root certificate that is stored in the browser or local computer's certificate store that I'm not quite sure how they'd work around ... without compromising and delivering an intermediate cert to the browser or OS trust store. said by Matt3:
They can easily act as a man-in-the-middle SSL proxy and your browser would be none the wiser.
SSL cannot be proxied in this way without setting off alarm bells in the browser due to cert name mismatches.
Bruce Schneier has a good summation from April of 2010 of one way to do this, readily built into an appliance. The comments are worth reading as well.
Although current browsers don't ordinarily detect unusual or suspiciously changed certificates, there's no fundamental reason they couldn't (and the Soghoian/Stamm paper proposes a Firefox plugin to do just that). In any case, there's no reliable way for the wiretapper to know in advance whether the target will be alerted by a browser that scrutinizes new certificates.
SteveI know your IP addressConsultant
Yorba Linda, CA
said by Matt3:I am familiar with Bruce's piece, and I'm pretty sure you missed a key piece, the part where the cert vendors were induced to issue valid certs for the URLs they wish to intercept.
Cert name mismatches are easy to overcome, you simply spoof the name of the URL with a fake cert.
said by the abstract : These are "false" certs only in the sense that they're not the ones issued by the real owners, but they will validate the same as the real ones, and there's nothing the clients can do to notice that something is awry.
This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.
I really hope that ISPs are not getting bogus certs.
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site