[tanstaafl]

See Law Enforcement Appliance Subverts SSL

"The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there."

“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,”

I have limited exposure if somebody gets my credit card. But I also use Firefox for online banking and filing tax returns. Are there any practical (i.e. not for people wearing tin foil hats) precautions I can take to reduce my risk? The article mentions that one of the trusted root authorities in Firefox was caught last summer secretly uploading spyware onto 100,000 customers’ Blackberrys.

New Research Suggests That Governments May Fake SSL Certificates (from EFF) states: "These attacks are not technically difficult; surveillance companies like Packet Forensics sell tools to automate the process, while security researchers like Moxie Marlinspike have publicly released tools that do the same. All that's needed to make the attack seamless is a false certificate."

"Soghoian and Stamm also observe that browsers trust huge numbers of CAs — and all of those organizations are trusted completely, so that the validity of any entity they approve is accepted without question. Every organization on a browser's trusted list has the power to certify sites all around the world. Existing browsers do not consider whether a certificate was signed by a different CA than before; a laptop that has seen Gmail's site certified by a subsidiary of U.S.-based VeriSign thousands of times would raise no alarm if Gmail suddenly appeared to present a different key apparently certified by an authority in Poland, the United Arab Emirates, Turkey, or Brazil. Yet such a change would be an indication that the user's encrypted HTTP traffic was being intercepted.

[tanstaafl]

I found the Certificate Patrol add-on which alerts you if a certificate changes. That is useful and seems intended to deal with this type of problem, but would give me way too many false positives due to certificates normally expiring and being replaced. Is there something similar available that only warns you if who issues it changed?

Certified Lies: Detecting and Defeating Government Interception Attacks against SSL talks about a CertLock add-on. The Certificate Patrol web page complains "In 7.4 it seems to become clear that the paper is an advertisement for an upcoming add-on, that does pretty much the same as Certificate Patrol, only it also does some of the things which are on our TODO list like the green/yellow/red indicator". However, I can't find that add-on.

Has SSL become pointless? Researchers suspect state sponsored CA forgey gives a summary of that paper and the issue of whether CNNIC should be removed from Firefox’s root store.

I searched one of the authors blogs (who supposedly is the Securinator at Mozilla Corporation according to his LinkedIn profile and a signature he used on a post on the Mozilla Security blog) for any mention of it being prototyped. Also the Mozilla Security blog and the Mozilla Add-ons web site.

I also looked at the Perspectives add-on (based on research sponsored by the NSF and Carnegie Mellon CyLab). That is impractical as it requires me to always worry about this issue and launch/look at a key history window, and lets a third party see what I'm browsing.

[tanstaafl]

http://www.theregister.co.uk/2010/04/06 ... rtificate/ talks about a "RSA Security 1024 V3" CA certificate in Firefox and Thunderbird that no one (including RSA and VeriSign) knew who issued or controlled it.

https://bugzilla.mozilla.org/show_bug.cgi?id=549701

[MichaelRodriguez]

Thank you, i am making report about SSL and hacker threats, that is very helpful online levitra information.

Regards, Michael.