Let's be honest, without any methamatical/design/architectural
assumptions, about the current PKI practical context. One of the
weakest links of PKI is trust delegation to some sort of governement
based legislated system. As said, somewhere on this maling list, CA's
are companies in those same
Hi,
study this more carefully and sooner as possible. SSL Observatory from
EFF is a step forward but we need more.
Their distributed observatory is probably going to help much here, but I
can offer the data sets from our paper. I'll put the paper online
tomorrow and paste the link here.
1 -
The way you position yourself in the network infra-structure is of
very importance when doing data collection.
Users of a given ISP may have rogue certificates while others at the
same country but another ISP may not. We as researchers need to
position ourselves at different network scopes in
Hi,
http://www.meleeisland.de/issuer_ca_on_eff.csv
Oh, now it makes sense, those are mostly router certs (and various other certs
from vendors who create broken certs like the Plesk ones). You won't just
Hm. I agree that many are router certs, certainly those with brand names
of networking
Ralph Holz h...@net.in.tum.de writes:
I am wondering if we can't get our hands on such a router and do a proof-of-
concept. Anyone in?
In terms of warkitting routers, they're pretty much all vulnerable [0], so all
you'd need to do after that is exploit the CA certs. OTOH if you can warkit
a
From: Peter Gutmann pgut...@cs.auckland.ac.nz
To: cryptography@randombit.net
Sent: Monday, September 19, 2011 2:32:21 PM
Subject: Re: [cryptography] Another data point on SSL trusted root
CA reliability (S Korea)
Ralph Holz h...@net.in.tum.de writes:
In terms of warkitting
Randall Webmail rv...@insightbb.com writes:
Does this warkitting require physical access to the router?
No, it's all remotely done.
(This is why I have two different routers from different vendors between me
and the public internet, and have had this setup for about a decade now).
Peter.
Ralph Holz h...@net.in.tum.de writes:
In the EFF dataset of the full IPv4 space, I find 773,512 such certificates.
Could these be from the bizarro Korean DIY PKI (the NPKI) that they've
implemented? Could you post (or email) some of the certs?
Peter.
Hi,
In the EFF dataset of the full IPv4 space, I find 773,512 such certificates.
Could these be from the bizarro Korean DIY PKI (the NPKI) that they've
implemented? Could you post (or email) some of the certs?
I don't think so. Here is a list of COUNT(issuers), issuers from the
EFF
Been seeing Twitter from @ralphholz, @KevinSMcArthur, and @eddy_nigg
about some goofy certs surfacing in S Korea with CA=true.
via Reddit http://www.reddit.com/tb/kj25j
http://english.hani.co.kr/arti/english_edition/e_national/496473.html
It's not entirely clear that a trusted CA cert is
On 09/17/2011 06:37 PM, Marsh Ray wrote:
It's not entirely clear that a trusted CA cert is being used in this
attack, however the article comes to the conclusion that HTTPS
application data is being decrypted so it's the most plausible assumption.
Why is it the most plausible assumption?
On 2011-09-18 1:18 PM, Arshad Noor wrote:
Why do we assume that government spies will go to such lengths to get
at an individual's data, when a downloaded root-kit on the target PC
suffices?
The government has less ability, but no more ability, to rootkit your
computer than do ten thousand
12 matches
Mail list logo
