Thursday, March 25, 2010

Law Enforcement Appliance Subverts SSL | Threat Level |


That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

Well this is lovely. Just lovely.


Anonymous said...

You're not surprised are you? You work for the Feds so just think what email they may be reading from your Gmail account while you are on their VPN. See, I told you not to trust SSL connections.

Peter J. Farrell said...

Just slightly scary. Does a purchase of a box include gift certificates for free wire-tap warrants as well?