Jump to content



Photo

Are SSL connections to usenet compromised?

network ssl

  • Please log in to reply
7 replies to this topic

#1 Dime Bar

Dime Bar

    Neowinian

  • Joined: 14-September 12

Posted 14 September 2012 - 20:12

Usenet with SSL is considered one of the safest forms of communication left, - but given that usenet clients\readers do not generally display a padlock sign or web-page warning messages about the validity of the certificates on the server that it is connecting to, - How would someone know if they were connecting to a server that had a compromised certificate and thus prone to eavesdropping? Is it likely for example, that a usenet provider would use a self-signed certificate to stop government and other agencies from trying to compromise trusted certificate authorities so that they could import the necessary keys into their DPI equipment which are installed on most major networks?
Anyones' thoughts on this would be greatly appreciated.

Edited by John S., 14 September 2012 - 20:22. Reason: ant-sized text increased



#2 +Audien

Audien

    Software Eng.

  • Joined: 30-December 03
  • Location: Seattle, WA
  • OS: Windows 8.1/Mac OSX
  • Phone: iPhone 5S

Posted 14 September 2012 - 20:56

This is left up to the clients - it's their choice if they accept a self-signed cert or just allow it silently.

#3 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 86
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 14 September 2012 - 21:09

"would use a self-signed certificate to stop government and other agencies from trying to compromise trusted certificate authorities so that they could import the necessary keys into their DPI equipment"

So you believe that agencies are doing man in the middle type attacks where they are decoding SSL traffic between say you and google so they can view your searches or read your email, or see what your doing at your bank? And they are working with such CAs like verisign and such to accomplish this?

That is some serious black helicopter type stuff -- what is your source of information that this is happening? Do they have a page about how the gov also faked the moon landings?

I would be very interesting in seeing the source of such information. And curious how you feel that if the gov/agency was doing this, how the use of a private signed cert would prevent this.

#4 Glassed Silver

Glassed Silver

    ☆♡Neowin's portion of Crazy♡☆

  • Joined: 10-June 04
  • Location: MY CATFORT in Kassel, Germany
  • OS: OS X ML; W7; Elementary; Android 4
  • Phone: iPhone 5 64GB Black (6.0.2)

Posted 14 September 2012 - 21:16

Self-signing doesn't have to be the all-in-one solution...

Who's to say your client hasn't been tempered with?
If we start being pretty paranoid, why not talk about this, too? :)


Glassed Silver:mac

#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 86
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 14 September 2012 - 21:25

The question in general is valid - how do you validate that the cert your using is the correct one. If your client does not do any sort of testing that hey its a trusted CA, and it is a self signed cert. Then its going to be up to the user to get with the source of where they are trying to connect and verify the cert they are seeing is valid. Many self signers provide method(s) of validation that their CA signed the cert and normally even provide you with details of how to get your client/browser to trust their cert.

Which usenet client are you using - and can look to see how you would go about trusting CA or validation of the cert used in the connection, etc.

The implication of a government conspiracy is what I am more curious about ;)

#6 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 16 September 2012 - 19:21

Budman ... :-p

http://www.wired.com...datacenter/all/
https://www.google.c...cdb78bf04b99564
http://rt.com/news/u...center-spy-789/
http://www.wired.co....ck-box?page=all
http://en.wikipedia....tah_Data_Center

Oooh it has a Visitors Center! I want to go ... :-D

http://www.forbes.co...rongest-crypto/

Looks like its going to be ready for 2013.

#7 BGM

BGM

    Wibble Wobble™

  • Joined: 30-March 03
  • Location: Farnborough, UK

Posted 16 September 2012 - 19:45

interesting thread... *subscribed*

#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 86
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 17 September 2012 - 11:26

Not seeing any mention of mitm - if they were doing mitm then there would be no need to try and crack AES, cracking the encryption is a whole lot different than working with the CAs so that you don't have too.