Breaking SSL Encryption
Posted by Aaron Massey on 02 Apr 2010.
Last week, Christopher Soghoian and Sid Stamm released a fascinating paper about how the government and SSL certificate authorities could break SSL-based encryption. This has been widely covered in the news, but I highly recommend reading the draft paper (pdf) if you’re at all interested in the technical details.
This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.
Also, Matt Blaze posted some thoughts worth reading. Time to design something better indeed.