[ISN] Law Enforcement Appliance Subverts SSL

From: InfoSec News <alerts_at_private>
Date: Thu, 25 Mar 2010 00:36:28 -0600 (CST)

By Ryan Singel
Threat Level
March 24, 2010

That little lock on your browser window indicating you are communicating 
securely with your bank or e-mail account may not always mean what you 
think its means.

Normally when a user visits a secure website, such as Bank of America, 
Gmail, PayPal or eBay, the browser examines the website's certificate to 
verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris 
Soghoian discovered that a small company was marketing internet spying 
boxes to the feds. The boxes were designed to intercept those 
communications - without breaking the encryption - by using forged 
security certificates, instead of the real ones that websites use to 
verify secure connections. To use the appliance, the government would 
need to acquire a forged certificate from any one of more than 100 
trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she 
is talking directly to Bob, but instead Mallory found a way to get in 
the middle and pass the messages back and forth without Alice or Bob 
knowing she was there.

The existence of a marketed product indicates the vulnerability is 
likely being exploited by more than just information-hungry governments, 
according to leading encryption expert Matt Blaze, a computer science 
professor at University of Pennsylvania.

"If the company is selling this to law enforcement and the intelligence 
community, it is not that large a leap to conclude that other, more 
malicious people have worked out the details of how to exploit this," 
Blaze said.

The company in question is known as Packet Forensics, which advertised 
its new man-in-the-middle capabilities in a brochure handed out at the 
Intelligent Support Systems (ISS) conference, a Washington, D.C., 
wiretapping convention that typically bans the press. Soghoian attended 
the convention, notoriously capturing a Sprint manager bragging about 
the huge volumes of surveillance requests it processes for the 


Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
Received on Wed Mar 24 2010 - 23:36:28 PDT

This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 23:46:49 PDT