North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Carnivore Update - Washington Post 11/21/00
On Thu, 23 November 2000, Vadim Antonov wrote: > I do not think that carnivore is doing that, but SSL is not resistant to > the man-in-the-middle attack. The problem here is in the lack of any > useful certificate validation support. How many users actually check that > site certificate indeed belongs to whoever is identified as the site owner > on the Web pages? My understanding of Carnivore is it sits as a Man-On-The-Side, not a man-in- the-middle. Carnivore is exactly the type of evesdropping Diffie-Hillman is supposed to protect against. > (Plus, it depends on the security of certification autority's private > keys, their public parts being non-revokable, because they are bundled > with browser software. I have a little doubt that it is all too easy for > law enforcement to obtain these keys if they need to. Interests of my > privacy definitely do not match interests of RSA Cert. Auth., Inc, a > commercial entity. Of course, i have no proof that this happened, but I > have no reason to trust that it didn't happen, too.) I was not aware that Terrorists'R'Us got their certificates from RSA. Besides wouldn't it violate some trading with the enemy law for a reputable certificate authority to sell certificates to known terrorists? Unless, of course, the real targets for the survellience are someone else.