> Normally when a user visits a secure website, such as Bank of America, Gmail, > PayPal or eBay, > the browser examines the website's certificate to verify its authenticity. > At a recent wiretapping convention, however, security researcher Chris > Soghoian discovered that a small company > was marketing internet spying boxes to the feds. The boxes were designed to > intercept those communications > - without breaking the encryption - by using forged security certificates, > instead of the real ones that websites use to verify secure connections. > This is new? Don't people understand that they place trust (whether valid or not) in the certificate authorities within their web browsers? The only difference between now and the mid-1990's is that all root CAs are not listed in Internet Explorer but are instead downloaded "in real time"...
--Keith Keith Young, Security Official Department of Technology Services Montgomery County, Maryland phone - (240) 777-2955 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
