[146985] in cryptography@c2.net mail archive
Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 10 17:51:52 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Sep 2013 17:51:43 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <105671C0-9159-468C-98F4-1645406121DD@hopcount.ca>
Cc: "Salz, Rich" <rsalz@akamai.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Tue, 10 Sep 2013 17:04:51 -0400 Joe Abley <jabley@hopcount.ca>
wrote:
> On 2013-09-09, at 12:04, "Salz, Rich" <rsalz@akamai.com> wrote:
>
> > then maybe it's not such a "silly accusation" to think that
> > root CAs are routinely distributed to multinational secret
> > services to perform MITM session decryption on any form of
> > communication that derives its security from the CA PKI.
> >
> > How would this work, in practice?
>
> Suppose Mallory has access to the private keys of CAs which are in
> "the" browser list or otherwise widely-trusted.
>
> An on-path attack between Alice and Bob would allow Mallory to
> terminate Alice's TLS connection, presenting an
> opportunistically-generated server-side certificate with signatures
> that allow it to be trusted by Alice without pop-ups and warnings.
Note that the apparent attacks against Petrobras, SWIFT and others
disclosed a few days ago appear to have used precisely this attack.
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography