And not necessarily a lot of protection, either. Kurt
---------- Forwarded message ---------- From: "Jim Ausman" <aus...@well.com> Date: Feb 7, 2012 4:49 PM Subject: A Certificate Authority "Man-in-the-middle" attack corporate attack in the wild To: <d...@farber.net> Dave, For IP, if you wish Trustwave, a CA authority, issued a certificate that allowed the owner to issue any valid certificate to facilitate man-in-the-middle attacks on their employees. http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html They say that they used a special hardware container to ensure that this could not be used for anything other than the intended purpose, but this still indicates that a long-suspected weakness in the CA infrastructure is being exploited to eavesdrop on traffic. http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html EFF sent out an alert about the fact that Iran was doing this a few months ago, but this is the first I have heard of a corporation doing it. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google Cheers, Jim Archives | Modify Your Subscription | Unsubscribe Now ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
