"Compelled certificate creation attack"

[unixronin]

Security researchers point out that SSL (Secure Sockets Layer) is vulnerable to what they call the compelled certificate creation attack, in which a government agency (say, the NSA) or operative thereof coerces a certificate issuer (such as Verisign) to issue a falsified SSL certificate, which the agency can then use with certificate renegotiation to perform a transparent man-in-the-middle attack against SSL.

Comments

[jhetley.livejournal.com]

But our government (NSA) is Nice People and would never do something like that . . .

[randwolf.livejournal.com]

Or the Russian Business Network. Hmpf.

[unixronin.livejournal.com]

Indeed. Or, as mentioned in the article, the Chinese top-level certificate issuer, already widely believed to be complicit in Chinese government spying.

[mrmeval.livejournal.com]

That has and will continue to be a weakness of any such system. It is not only the government but any entity with the power to subvert a certificate issuer without that subversion being disclosed.

It's easier for a government that has control of the issuers legal or physical environment but it can be any entity if they see it as being profitable enough and have the resources.

Only provide slightly less than life threatening data to the JBT, black hat or skript kiddie boob that is pwning your PC. K?