Did The Iranian Gov't Try To Create A Massive Man-In-The-Middle Attack With Faked Certificates?
from the getting-sophisticated dept
A few months back, we talked about how the Tunisian government tried to do a massive hack on Facebook to access the communications of protesters and activists. It looks like the Iranian government tried to do something similar, figuring out a way to get bogus SSL certificates for Google, Yahoo, Skype and others, which would have allowed the government to set up a man-in-the-middle type attack to get passwords and access otherwise "encrypted" content. While this was discovered, it does suggest the levels that some governments will go to in order to spy on users online. More importantly, it highlights some of the serious problems with the certificate authority model of trust and security online. So here's the big question: how do we prevent these types of things from happening?Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificates, iran, man in the middle, security, ssl, trust
Reader Comments
Subscribe: RSS
View by: Time | Thread
A: don't live in Iran
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
I expect every thing
[ link to this | view in thread ]
There is alot you can do to secure communication between two known parties. It gets significantly more difficult to ensure that the server you've connected to is who you think it is.
The existing model is actually pretty good (as we don't hear about this thing all that often).
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Without a doubt, there is nobody anywhere who could ever think of a way to provide a secure exchange of data in a world where distributed DNS is more prevalent than it is today.
/sarc
[ link to this | view in thread ]
The best would be to use an secure overlay like Retroshare, TOR, GNUNET or Herbivore.
SSL is just not that secure with governments they have the resources to get in.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
BitCoin is even used for anonymous financial transactions in the real world.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
http://i01.i.aliimg.com/photo/v1/362919873/USB_3_0_SATA_HDD_Stand_Hard.jpg
2 TB at in a slim form factor.
[ link to this | view in thread ]
[ link to this | view in thread ]
Blacklist CA's
[ link to this | view in thread ]
There's no evidence implicating the Iranian government
Any hacker worthy of the title is quite capable of launching their attack from zombies located anywhere...and zombies are everywhere, not just on consumer networks, but on corporate, educational, and governmental networks.
Some of the best discussion on this is happening on the NANOG list.
[ link to this | view in thread ]
Re: There's no evidence implicating the Iranian government
[ link to this | view in thread ]
Re: Blacklist CA's
[ link to this | view in thread ]
[ link to this | view in thread ]
Monkey Sphere
There are two ways to set up a trust model from what I gather: either trust an authority, or use a web of trust.
It appears the authority based model is not working at this point, so the alternative is the web of trust model.
To quote the Monkeysphere page:
“The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to(…)”
http://web.monkeysphere.info/
From that point, you can set different trust levels to different peers, the way you can in OpenPGP.
Oh, and maybe worth noting, you can also delete Certificate Authorities in Firefox (and others I guess).
Might make sense to only keep the ones you think *might* be doing their job of selling ones and zeros better than the others.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Response to: Anonymous Coward on Mar 25th, 2011 @ 12:37am
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]