gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76793 Posts in 13502 Topics by 1651 Members - Latest Member: Arnold99 October 14, 2024, 09:44:28 pm
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  EFF Warns Against False SSL Certificate Surveillance
gfx
gfxgfx
 

Author Topic: EFF Warns Against False SSL Certificate Surveillance  (Read 844 times)

0 Members and 1 Guest are viewing this topic.

Offline GhostShip

  • Ret. WinMX Special Forces
  • WMW Team
  • *****
EFF Warns Against False SSL Certificate Surveillance
« on: September 14, 2011, 01:43:49 am »
It seems the recent web user hijacking skulduggery in Iran is just the tip of the iceberg.

http://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack

Quote
More facts have recently come to light about the compromise of the DigiNotar Certificate Authority, which appears to have enabled Iranian hackers to launch successful man-in-the-middle attacks against hundreds of thousands of Internet users inside and outside of Iran.

Existing web browsers, email clients and operating systems depend on Certificate Authorities (CAs), and the SSL certificates they produce, in order to know that you are really visiting the domain that you intended to visit. If these certificates are false, someone in control of a network can tamper with and spy on connections. A hacker who gets a certificate for mail.google.com, for instance, will be able to steal people's Gmail passwords and hijack their accounts. A hacker who gets a certificate for addons.mozilla.org or *.microsoft.com might be able to install malicious software on victims' computers. In fact, these kinds of attacks against Gmail happened on a massive scale during July and August of this year.

Certificate-based attacks are a concern all over the world, including in the U.S., since governments everywhere are eagerly adopting spying technology to eavesdrop on the public. Vendors of this technology seem to suggest the attacks can be done routinely. Similar attacks may have happened before — this attack is just the first whose details we know about. EFF's SSL Observatory has helped to map out the problem by showing the ways in which CAs are related to one another. Soon, we will launch the Decentralized SSL Observatory, which will offer a real-time method of detecting and protecting against these attacks. We will also have more to say about possible ways of cross-checking and fixing the CA infrastructure in a more sustainable way



Whilst its excellent news that such activity is being monitored its not such good news in reality as unfortunately no one yet has an answer to this problem, foreign or domestic intelligence agencies are free to undertake this kind of man in the middle attack with often no one knowing its occurred and with little to no oversight of who has stolen what data or worse valuable passwords, lets hope this situation is cleaned up before its abused further to the detriment of us all.

Offline DaBees-Knees

  • WMW Team
  • *****
Re: EFF Warns Against False SSL Certificate Surveillance
« Reply #1 on: September 14, 2011, 02:16:50 am »
The main problem in a situation like this is each government wants the ability to spy on everyone else, but objects to other governments having the ability to do the same. Horror of horrors if China is found spying on America. Now ask who America is spying on?  ;)

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  EFF Warns Against False SSL Certificate Surveillance
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.015 seconds with 22 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!