This blog post makes it sound pretty simple:
Back doors in certs?? Do you have references for this claim?
I am just asking for other sources to verify your claim that https certs are broken and gov sources can read encrypted streams
security researchers have uncovered more than 600 groups who, through such delegation, are now also automatically trusted by most browsers, including the Department of Homeland Security, Google, and Ford Motorsand a UAE mobile phone company called Etisalat.
Now that's a reference :)
I accept that's its possible but like snare mentioned do they have all the signing keys for all private CAs?
Can we have a crowd based system of mitm monitoring please??
Now that's a reference :)
I accept that's its possible but like snare mentioned do they have all the signing keys for all private CAs?
Can we have a crowd based system of mitm monitoring please??
Yes it is that bad, a site can change IP address and certificate and your browser will not warn you. There is no way to know that your data might be going to a different location unless you manually check a sites certificate.
A site can probably change IP address since the certificate is assigned to a domain name, but this would require a DNS compromise and the ability to sign certificates. It could change certificate without the browser warning you, again, only if the new certificate was signed by a trusted CA. Both very low likelihood IMHO, though the DigiNotar incident demonstrates that it's a real possibility.
On Friday, 1 June 2012 at 3:49 PM, Jerrold Poh wrote:
Hi, I literally went through this process a couple of weeks ago, as my app uses SSL to communicate with the server component.I followed the instructions below on a Sunday afternoon, got my SNAP-R account after a 30 minute wait, and got an ERN right after I submitted the form.From what I understand, you have to do this even though you're not an Australian citizen, and as far as I know, you don't don't a US postal address either to set it up (well I didn't and I was approved without issue).Consequently though, I was talking to Loren Brichter about this at the One More Thing conference last week (so I assume it's correct), and he said me that you no longer have to do this if you're just using the standard SSL libraries (as confirmed by Oliver too).To be honest, I'd apply for an ERN anyway. It takes a couple of hours to do but it could potentially save you the back and forth that you may encounter later.Jerrold
On Friday, June 1, 2012 11:09:58 AM UTC+10, Benjamin Taylor wrote:
On Friday, June 1, 2012 11:09:58 AM UTC+10, Benjamin Taylor wrote:
On Friday, June 1, 2012 11:09:58 AM UTC+10, Benjamin Taylor wrote:
--
You received this message because you are subscribed to the Google Groups "Australian Cocoaheads" group.
To view this discussion on the web visit https://groups.google.com/d/msg/cocoaheadsau/-/UNxNFRIWckcJ.