Intrepidus Group

Trust Revisited

Posted: March 25, 2010 – 8:11 am | Author: | Filed under: ssl | Tags: , , ,

A long, long time ago, on a not so distant blog, I questioned the manner in which we make trust decisions regarding HTTPS enabled web sites.

Yesterday, Sid Stamm and Christopher Soghoian published a very interesting paper that further explores problems with SSL PKI and the trusted CA model. Most recent SSL research has focused on exploiting technical, implementation specific flaws in various pieces of SSL PKI. Stamm and Soghoian instead discuss a much more esoteric threat: various government agencies strong arming trusted Certification Authorities into issuing valid certificates for nefarious purposes.

The authors describe a fictitious attack on Chinese dissidents where the Chinese government coerces a Chinese CA to issue a certificate for US based Google. By detecting a change in the country of origin for the signing CA of the Google certificate, the authors say that an otherwise perfect SSL MITM attack can be detected.

But with all this talk of the Google hack, APT, and various government and defense agencies being successfully attacked themselves, who is to say that the Certification Authorities are immune? Why strong arm a CA, when you can silently issue your own certificate?

Both comments and trackbacks are currently closed.

One Trackback

  1. [...] This post was mentioned on Twitter by Gal Shpantzer. Gal Shpantzer said: RT @IntrepidusGroup: Mike Zusman chimes in on the “Certified Lies” paper — <–Trust in SSL and gov’t coerced CA’s… [...]


This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24798 items have been purified.