On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine <[email protected]> wrote: >> Are you, at this moment, able to acquire a falsely signed certificate >> for www.herrin.us that my web browser will accept? > > Me, no, although I have read credible reports that otherwise reputable SSL > signers have issued MITM certs to governments for their filtering firewalls.
The governments in question are watching for exfiltration and they largely use a less risky approach: they issue their own root key and, in most cases, install it in the government employees' browser before handing them the machine. A "reputable" SSL signer would have to get outed just once issuing a government a resigning cert and they'd be kicked out of all the browsers. They'd be awfully easy to catch. Regards, Bill Herrin -- William D. Herrin ................ [email protected] [email protected] 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
