Eleanor Saitta's (previously) 2016 essay "Coercion-Resistant Design" (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don't back-door your product.
Read the rest
On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec's disgraced Certificate Authority, to prove they had been compromised.
Read the rest
Cloudflare's joint research with "a large e-commerce site" and Mozilla found that between 4-10% of secure, encrypted web connections are "intercepted," largely by corporate antivirus software that inserts its own certificates into users' browsers, allowing it to scan all traffic entering workers' computers. Read the rest
In 2012, Google introduced Certificate Transparency, an internet-wide tripwire system designed to catch cryptographic "certificate authorities" who abused their position to produce counterfeit credentials that would allow criminals, governments and police to spy on and tamper with secure internet connections. Read the rest
In 2012, Google rolled out Certificate Transparency, a clever system to spot corrupt "Certificate Authorities," the entities who hand out the cryptographic certificates that secure the web. If Certificate Authorities fail to do their jobs, they put the entire electronic realm in danger -- bad certificates could allow anything from eavesdropping on financial transactions to spoofing industrial control systems into accepting malicious software updates. Read the rest
Since 2014, Suckfly, a hacker group apparently based in Chengdu, China, has used at least 9 signing certs to make their malware indistinguishable from official updates from the vendor. Read the rest
Cothority is a new software project that uses "multi-party cryptographic signatures" to make it infinitely harder for governments to order companies to ship secret, targeted backdoors to their products as innocuous-looking software updates. Read the rest
In September, Google caught Symantec issuing a fake google.com cryptographic certificate that could have been used to seamlessly intercept encrypted Google.com traffic. Symantec is one of the participants in Certificate Transparency, through which all new certificates issued and seen in the wild are logged to append-only, cryptographically provable logs, which create irrefutable audit trails for any bogus certs issued/discovered. Read the rest
Your browser trusts SSL certificates from hundreds of "Certificate Authorities," each of which is supposed to exercise the utmost caution before issuing them -- a rogue cert would allow a criminal or a government to act as a man-in-the-middle between you and your bank, email provider, or employer, undetectably intercepting communications that you believed to be secure. Read the rest
An Indian certificate authority in the Microsoft root of trust has been caught issuing fake Google subdomain certificates that would allow nearly undetectable eavesdropping on "secure" connections to services like Google Docs. Read the rest