Hi, Am 15.10.2013 um 16:46 schrieb Phillip Hallam-Baker <[email protected]>:
> > > > On Tue, Oct 15, 2013 at 6:59 AM, Oliver Loch <[email protected]> wrote: > Hi, > > as we all know from the NSA disclosures of Edward Snowden, the NSA is > collecting data and has access to any data that is available in the USA. > We've also learned that companies which are located on USA soil, must hand > the NSA and other governmental institutions any requested data available. > > This raises the question if the root certificates of CAs that are located on > USA soil are still trustworthy or if the private keys of those certificates > have been handed over to the NSA and allow the NSA to generate VALID > certificates for any situation and in any form necessary. > > I'm talking about MITM attacks and redirects to web servers that do not > belong to the domain that the certificate shown was issued for and which are > manipulated to install spyware and stuff. There are tons of other > possibilities imaginable… > > So are they still trustworthy? > > I don't think any US based company is going to be considered trustworthy > until the use of National Security Letters is ruled unconstitutional by the > courts. > I don't think they are trustworthy after that either … > Especially not browser companies based in Mountain View California. > > > For what it is worth, our CA is based in the UK but any corporation that has > any part of its operations in the US could come under pressure. > > Reading through the powers granted, I think the chance of using an NSL to > suborn a CA is very small since it is very observable. The browser is a far > better point of attack. > > > But the idea that the NSA is going round suborning companies on a widespread > basis seems a little silly to me since there is no way they could expect to > keep the engineers quiet. > > It is possible that some of the cryptanachy cipherpunk folk are plants but I > have known most of them twenty years now. I rather doubt that they have all > been turned. If the NSA can't keep its own employees quiet, they can hardly > keep non employees quiet. > > That is the handwavy explanation anyway. > > I have a more mathematical treatment if anyone is interested. > > -- > Website: http://hallambaker.com/ Based on the sentences people are facing - if they start talking to the public - it's really possible that the hand full of people that know that their company handed out the root cert's private key are keeping their mouth shut. I don't see how this involves a lot of people. Another thing is that those certs aren't only used for the encryption of web traffic. X509 certs are used for anything doing SSL/TLS and being able to generate new, VALID certs that allow todo MITM attacks without being caught is exactly what the NSA wants. So IMHO and in all likelihood they have those private keys and use them which renders the whole CAs from the USA useless. Same goes for stuff from Britain and other companies that are also on the USA market… BTW: If you're on a website that you think you know and are redirected to a web server that doesn't belong to the website but has a valid cert so that it looks like everything is ok and this website asks you to install a plugin or other software how likely would it be that a user accepts the installation? KR, Oliver _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
