BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] root CA bloat
- Subject: [Discuss] root CA bloat
- From: bogstad at pobox.com (Bill Bogstad)
- Date: Sun, 23 Nov 2014 17:13:03 +0100
- In-reply-to: <5471F4D9.1010006@gmail.com>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <546D7B55.70903@gmail.com> <BN3PR0401MB1204E9F1CF304F6724855281DC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <546FC87F.1090203@gmail.com> <546FE733.8070007@gmail.com> <CAJFsZ=pXgxcG5zeD=zg+us8uanYgRGEcToYAjuwekH7+K980Yg@mail.gmail.com> <5470A912.2080801@gmail.com> <CAJFsZ=rvcyoP+Op7EG01kkJyMM72mwg=sicPHF5fVdRbYceApw@mail.gmail.com> <5471272F.4090506@gmail.com> <CAJFsZ=pzNw6mk1aQZvLJ8CvAe-hv4EQA5Fu6g4Ewcf3kok=NyA@mail.gmail.com> <5471F4D9.1010006@gmail.com>
On Sun, Nov 23, 2014 at 3:53 PM, Richard Pieri <richard.pieri at gmail.com> wrote: > On 11/23/2014 3:26 AM, Bill Bogstad wrote: >> >> If they did something that Microsoft hadn't requested then I'm pretty >> sure somebody would both notice AND care. This is all in the context >> of attacking the security of Internet communications via a MITM >> attack. If Microsoft (one of the two parties communicating >> in this example) authorized it, then it isn't MITM. Whether it > > > Ahh. I see what you mean, now. Your argument, that because Microsoft /did/ > authorize MarkMonitor to act as an intermediary makes any interception not > MITM since it's not an unauthorized party listening in, has merit. Almost... Microsoft didn't authorize MarkMonitor to monitor their communications (as far as I know). They authorized them to provide DNS related services. So if MarkMonitor did this, then I would call it a MITM attack. My point is more that if they did do it, I believe that it would be very public that something funny was happening. The "cost" to MarkMonitor for doing this would be so high that I don't see them doing it voluntarily. Now if this was really end of the world type stuff, someone might convince/force them to do it anyway. In that case though, I think the parities involved would just go to Microsoft and get copies from them. Much less likely for anyone to ever know. An alternative scenario where someone breaks into MM and does this is worth considering. By using MM, Microsoft is increasing the attack scope on their communications. Of course, Microsoft is also dependent on the security of all CAs, top level DNS servers, etc. The problems with CA delegation seem much more significant then this one though. Until we get a solution to that problem, I'm not going to worry about this one. Bill Bogstad
- Follow-Ups:
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] root CA bloat
- References:
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] root CA bloat
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] root CA bloat
- From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] root CA bloat
- From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] root CA bloat
- From: bogstad at pobox.com (Bill Bogstad)
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] root CA bloat
- Next by Date: [Discuss] root CA bloat
- Previous by thread: [Discuss] root CA bloat
- Next by thread: [Discuss] root CA bloat
- Index(es):