nationwide interception of Facebook & webmail login credentials in Tunisia
Mark Lomas
ukcrypto at absent-minded.com
Wed Jan 26 11:58:13 GMT 2011
Perhaps I should have been more explicit about the reason for my question.
It is alleged that somebody is interfering with traffic to Facebook. The
suggested countermeasure is to insist upon an SSL connection from the outset
- not to trust the standard HTTP page.
If those same attackers can persuade *any *of the CAs trusted by the browser
to issue a duplicate Facebook certificate then they can interfere with SSL
connections as well. Most browsers will not display any warning message in
such circumstances.
You can reduce (but not eliminate) this risk by paring down the list of
trusted CAs.
Now consider which SSL sites you visit. Perhaps your e-mail service or your
bank. Are you happy that *all* of the CAs trusted by your browser are
permitted to sign certificates purporting to represent your e-mail service
or bank?
Mark
On 26 January 2011 11:26, Brian Morrison <bdm at fenrir.org.uk> wrote:
> On Wed, 26 Jan 2011 09:18:11 +0000
> Mark Lomas <ukcrypto at absent-minded.com> wrote:
>
> > May I conduct an informal survey? Who on this mailing list has not
> > removed any of the CA certificates that were pre-installed by whoever
> > supplied your browser?
>
> Not me. All I have done is add the CACert root certificate so that
> some of my own certificates work.
>
> Having said that, I don't ignore any error or warning messages, and I
> do quite often check certificate fingerprints. In a widely rolled-out
> deployment of SSL the security you gain is there to raise the bar to
> compromise, not to eliminate it.
>
> --
>
> Brian Morrison
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20110126/1e125d22/attachment.htm>
More information about the ukcrypto
mailing list