"At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.Of course, I wanted to know more. I wanted to talk to those Packet Forensics folks myself! Well, apparently that's a lot tougher than you'd think.
The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.
The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania."
First off, I tried calling several times during business hours to their Tempe, AZ office and got a "Press 1 for sales, 2 for technical support" ...when I pressed 1 for "sales" I got a message system asking me to leave a message and someone would call me back. Pressing 2 for "support" got me a live support person who was kind enough to tell me that if I wasn't a current customer I'd need to buzz off. Hrmm...
Also, apparently their system doesn't think my email address (which is my real email address) is real ...
So ... Packet Forensics folks ... I swear my email address is real. Will someone reply either privately or here on the blog? I have many, many questions!
Here are some of those questions...
- Are Packet Forensics products using an exploit to perform their duties, or are the devices using legitimately purchased (but cloned) certificates of real sites?
- Are these devices being used on commercial carrier networks (ISPs) here in the US?
1 comment:
I can't imagine that they'd go through the effort to get the actual cert used by the org they're spoofing. It's far easier to have a trusted CA in the box that generates whatever cert it needs on the fly.
Remember, SSL certs don't guarantee who you're talking to - only that someone "vouched" that they are who they said they are, and that it's encrypted. The trust in SSL comes from the CA, not the cert holder.
Post a Comment