On 12.07.2016 12:59, Daniel Kalchev wrote:
> The standard HTTPS implementation is already sufficiently broken, with the 
> door wide open by the concept of “multiple CAs”. The protocol design is 
> flawed, as any CA can issue certificate for any site. Applications are 
> required to trust that certificates, as long as they trust the CA that issued 
> them.
> It is trivial to play MTIM with this protocol and in fact, there are 
> commercially available “solutions” for “securing one’s corporate network” 
> that doe exactly that. Some believe this is with the knowledge and approval 
> of the corporation, but who is to say what the black box actually does and 
> whose interests it serves?
> There is of course an update to the protocol, DANE, that just shuts this door 
> off. But… it faces heavy resistance, as it’s acceptance would mean the end of 
> the lucrative CA business and the ability to intercept “secure” HTTPS 
> communication. Those relying on the HPPTS flaws will never let it become wide 
> spread.
> In summary — anyone can sniff HTTPS traffic. No need for any cipher backdoors 
> here. Nor any need for GOST to be involved.

You forget to mention that CA must already be in the trusted root list
to allow it happens.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to