You are correct on the problem with the model, but nobody yet has come up with a workable alternate model for general use. I know there is some work going on, but it's definitely not mature.
Kurt On Tue, Feb 7, 2012 at 20:05, Steve Kradel <[email protected]> wrote: > The problem is not with SSL, but with the centralized CA model... many > or all of those CAs simply aren't as trustworthy as one might like to > believe. > > Regardless, this is foul, foul stuff, issuing an any-purpose cert to a > third party for snooping on their employees. Normally in this kind of > police-state company environment, the organization sets up its own CA > and propagates its cert to devices. But MITM'ing with the help of a > CA in the common trust list... ugh. > > I'd note that Chrome is resistant to this sort of chicanery, with the > ability to tie domains to certain issuers. E.g., Chrome can reject an > otherwise verifiable and valid cert for google.com if it's not from a > very restricted set of signers. > > --Steve > > On Tue, Feb 7, 2012 at 6:41 PM, Kurt Buff <[email protected]> wrote: >> And not necessarily a lot of protection, either. >> >> Kurt >> >> ---------- Forwarded message ---------- >> From: "Jim Ausman" <[email protected]> >> Date: Feb 7, 2012 4:49 PM >> Subject: A Certificate Authority "Man-in-the-middle" attack corporate >> attack in the wild >> To: <[email protected]> >> >> Dave, >> >> For IP, if you wish >> >> Trustwave, a CA authority, issued a certificate that allowed the owner >> to issue any valid certificate to facilitate man-in-the-middle attacks >> on their employees. >> >> http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html >> >> They say that they used a special hardware container to ensure that >> this could not be used for anything other than the intended purpose, >> but this still indicates that a long-suspected weakness in the CA >> infrastructure is being exploited to eavesdrop on traffic. >> >> http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html >> >> EFF sent out an alert about the fact that Iran was doing this a few >> months ago, but this is the first I have heard of a corporation doing >> it. >> >> https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google >> >> Cheers, >> Jim >> Archives | Modify Your Subscription | Unsubscribe Now >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
