On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley <jab...@hopcount.ca> wrote: > On 2013-09-09, at 12:04, "Salz, Rich" <rs...@akamai.com> wrote: > > > then maybe it's not such a "silly accusation" to think that > > root CAs are routinely distributed to multinational secret > > services to perform MITM session decryption on any form of > > communication that derives its security from the CA PKI. > > > > How would this work, in practice? > > Suppose Mallory has access to the private keys of CAs which are in > "the" browser list or otherwise widely-trusted. > > An on-path attack between Alice and Bob would allow Mallory to > terminate Alice's TLS connection, presenting an > opportunistically-generated server-side certificate with signatures > that allow it to be trusted by Alice without pop-ups and warnings.
Note that the apparent attacks against Petrobras, SWIFT and others disclosed a few days ago appear to have used precisely this attack. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography