On Tue, Oct 15, 2013 at 6:59 AM, Oliver Loch <[email protected]> wrote:
> Hi, > > as we all know from the NSA disclosures of Edward Snowden, the NSA is > collecting data and has access to any data that is available in the USA. > We've also learned that companies which are located on USA soil, must hand > the NSA and other governmental institutions any requested data available. > > This raises the question if the root certificates of CAs that are located > on USA soil are still trustworthy or if the private keys of those > certificates have been handed over to the NSA and allow the NSA to generate > VALID certificates for any situation and in any form necessary. > > I'm talking about MITM attacks and redirects to web servers that do not > belong to the domain that the certificate shown was issued for and which > are manipulated to install spyware and stuff. There are tons of other > possibilities imaginable… > > So are they still trustworthy? > I don't think any US based company is going to be considered trustworthy until the use of National Security Letters is ruled unconstitutional by the courts. Especially not browser companies based in Mountain View California. For what it is worth, our CA is based in the UK but any corporation that has any part of its operations in the US could come under pressure. Reading through the powers granted, I think the chance of using an NSL to suborn a CA is very small since it is very observable. The browser is a far better point of attack. But the idea that the NSA is going round suborning companies on a widespread basis seems a little silly to me since there is no way they could expect to keep the engineers quiet. It is possible that some of the cryptanachy cipherpunk folk are plants but I have known most of them twenty years now. I rather doubt that they have all been turned. If the NSA can't keep its own employees quiet, they can hardly keep non employees quiet. That is the handwavy explanation anyway. I have a more mathematical treatment if anyone is interested. -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
