On 09/17/2011 09:03 PM, Arshad Noor wrote:
On 09/17/2011 06:37 PM, Marsh Ray wrote:

It's not entirely clear that a trusted CA cert is being used in
this attack, however the article comes to the conclusion that
HTTPS application data is being decrypted so it's the most
plausible assumption.

Why is it the most plausible assumption?

Did you read the article? It goes on at length about this being a
network-level attack. There is no mention of a compromised endpoint
computer and to the contrary it says they deemed "conventional search
and seizure would be insufficient".

Isn't it far easier to replace the cryptographic libraries on PCs
with one that has a "wrapper" that copies all payloads before
encryption and after decryption, and transmits the payload to the
snooper?

Sure, if you have an exploit all the target's computers. Investigators
have been known to do this at times. But if that were the case, why
wouldn't the security service have just said "yeah we hacked his PC and
installed a keylogger"?

If you were a security service, wouldn't you prefer to admit to using ye
olde everyday keylogger rather that disclosing your ability to "conduct
packet tapping" on HTTPS connections?

Why go through the hassle of breaking a cipher when all you have to
do is replace a few files on the target's PC to get what you want?

I never suggested anyone was breaking a cipher. I said the most
plausible attack was that a trusted CA was being used as the article
seems to describe.

I found the timing particularly interesting as it surfaced at the same time as Holtz's detection of the kooky certs in S Korea.

- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to