Certified Lies: Detecting And Defeating Government Interception Attacks Against SSL

Download Now Date Added: Apr 2010
Format: PDF

This paper introduces compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications. Although, no direct evidences are available that this form of active surveillance is taking place in the wild, the paper shows how products already on the market are geared and marketed towards this kind of use, suggesting such attacks may occur in future, if they are not already occurring. Finally, there is a lightweight browser introduced add-on that detects and thwarts such attacks.