North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Carnivore Update - Washington Post 11/21/00

  • From: Sean Donelan
  • Date: Fri Nov 24 04:50:21 2000

On Thu, 23 November 2000, Vadim Antonov wrote:
> I do not think that carnivore is doing that, but SSL is not resistant to
> the man-in-the-middle attack.  The problem here is in the lack of any
> useful certificate validation support.  How many users actually check that
> site certificate indeed belongs to whoever is identified as the site owner
> on the Web pages?

My understanding of Carnivore is it sits as a Man-On-The-Side, not a man-in-
the-middle.  Carnivore is exactly the type of evesdropping Diffie-Hillman is
supposed to protect against.

> (Plus, it depends on the security of certification autority's private
> keys, their public parts being non-revokable, because they are bundled
> with browser software. I have a little doubt that it is all too easy for
> law enforcement to obtain these keys if they need to.  Interests of my
> privacy definitely do not match interests of RSA Cert. Auth., Inc, a
> commercial entity. Of course, i have no proof that this happened, but I
> have no reason to trust that it didn't happen, too.)

I was not aware that Terrorists'R'Us got their certificates from RSA.  Besides
wouldn't it violate some trading with the enemy law for a reputable certificate
authority to sell certificates to known terrorists?  Unless, of course, the
real targets for the survellience are someone else.