nationwide interception of Facebook & webmail logincredentials in Tunisia

M J D Brown mjdb at
Sat Feb 5 18:27:19 GMT 2011

A recent experience has illuminated the CA trust problem for me.  During 
the installation and configuration of a Netgear NAS the default 
assumption of its manufacturer-provided certificate resulted in an 
complaint by IE8.  Having generated a new certificate and key using the 
NAS internal firmware, Windows XP then asked me whether to trust the 
internal LAN URL of the NAS device as the certificate issuing authority. 
I know that nobody else can access the NAS admin area, because only I 
have the key, and data transmissions are encrypted across the LAN which 
is hiding behind a hardware firewall that Shields Up does not penetrate. 
Accordingly I approved the request.  As a rhetorical question: was I 

It would seem that there is a fair concensus that the present system 
cannot be trusted at a technical level.

Apropos the present discussion; I suggest that what we really need to 
identify are the pre-conditions for trusting a certificate issuing 
authority.  If there are really no circumstances in which trust could be 
given, then the whole tomfoolery should be junked.  Otherwise, a new 
system that respects the agreed pre-conditions would be a worthwhile 


----- Original Message ----- 
From: "Richard W.M. Jones" <rich at>
To: "UK Cryptography Policy Discussion Group" 
<ukcrypto at>
Sent: Friday, February 04, 2011 7:23 PM
Subject: Re: nationwide interception of Facebook & webmail 
logincredentials in Tunisia

> On Tue, Feb 01, 2011 at 09:58:40AM -0800, Passive PROFITS wrote:
>> --- On Wed, 1/26/11, Richard W.M. Jones <rich at> wrote:
>> > From: Richard W.M. Jones <rich at>
>> > Subject: Re: nationwide interception of Facebook & webmail login 
>> > credentials in Tunisia
>> > +0000, Brian Morrison wrote:
>> > > True, but are any CAs already present *really* more
>> > trustworthy than
>> > > the others? I suspect not.
>> >
>> > I think this gets to the nub of it. There's literally
>> > no criterion
>> > for trusting a CA except that I set it up myself (and even
>> > then I'm
>> > suspicious :-) Why wouldn't the NSA have the private
>> > keys used by
>> > Verisign? I'd actually consider them to be failing in
>> > their job if
>> > they *hadn't* got them.
>> >
>> > Rich.
>> >
>> > -- 
>> > Richard Jones
>> > Red Hat
>> Which I suppose is why Red Hat was recently named by the Washington 
>> Post as part of the USA military industrial complex.*
>> All non USA companies, governments, etc, using Red Hat products, 
>> should take note, not just of the naming of the company in this 
>> context, but of the attitude of it's employees, to your/your 
>> organisation's security.
>> With employee attitudes to security like those expressed above, who 
>> needs a clandestine stealing of the private key/pass phrase.
>> The implication is clear; use Red Hat products, you're owned. :(
> I've no idea what you're on about.  I work for Red Hat (hence the
> .signature), but the comments here are in *no* way related to,
> endorsed by, authorized by, recommended by, guaranteed by,
> underwritten by or encouraged by Red Hat.  Just to make that clear.
> Rich.
> -- 
> Richard Jones
> Red Hat

More information about the ukcrypto mailing list