The article is very wishy-washy about "forged certificates". This usually means that either 1) a CA is willing/coaxed/forced to issue a certificate with CN=bankofamerica.com for a private key owned by the government of country Mallory or 2) Mallory has obtained the CA's certificate signing private key and can issue certificates with any CN. In both cases, the process is broken - this CA has become untrustworthy to issue server SSL certificates. Detecting the untrustworthiness is unfortunately not easy. Case 1 is usually handled by reviewing the CA's policies and practices for issuing certificates. CAs usually have to be audited and certified by independent organizations before a browser would trust them. To prevent case 2, CAs are supposed to keep their certificates safe and revoke them if a suspicion arises that the key is not safe.
Transparent SSL proxies are otherwise nothing new and are used allow IDS and IPS devices to detect attacks hidden inside SSL traffic. An example is Netronome's SSL Inspector, which has been commercially available for years now. The device from Packet Forensics seems to be just that - a transparent SSL proxy. I'm not sure why it's existence is hidden and not advertised publicly. Best Regards, Peter Djalaliev On Mar 29, 11:11 am, Jean-Marc Desperrier <[email protected]> wrote: > Jean-Marc Desperrier wrote: > > Article on Wired here : > >http://www.wired.com/threatlevel/2010/03/packet-forensics/ > > The original article is well worth reading also > :http://files.cloudprivacy.net/ssl-mitm.pdf > > Especially the certlock Firefox extension they propose, which builds > upon Kaie's Conspiracy, but does something more sophisticated. > Unfortunately it seems it has not been made publicly available until now. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
