Rui Paulo writes: -+--------------- | http://www.wired.com/threatlevel/2010/03/packet-forensics/ | | "At a recent wiretapping convention however, security researcher Chris = | Soghoian discovered that a small company was marketing internet spying = | boxes to the feds designed to intercept those communications, without = | breaking the encryption, by using forged security certificates, instead = | of the real ones that websites use to verify secure connections. To use = | the appliance, the government would need to acquire a forged certificate = | from any one of more than 100 trusted Certificate Authorities." |
I rather like Cormac Herley's paper: http://preview.tinyurl.com/yko7lhg So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which I cite here for this line: It is hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives. --dan --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com