Are SSL connections to usenet compromised?

[Dime Bar]

Usenet with SSL is considered one of the safest forms of communication left, - but given that usenet clients\readers do not generally display a padlock sign or web-page warning messages about the validity of the certificates on the server that it is connecting to, - How would someone know if they were connecting to a server that had a compromised certificate and thus prone to eavesdropping? Is it likely for example, that a usenet provider would use a self-signed certificate to stop government and other agencies from trying to compromise trusted certificate authorities so that they could import the necessary keys into their DPI equipment which are installed on most major networks?

Anyones' thoughts on this would be greatly appreciated.

Edited September 14, 2012 by John S.
ant-sized text increased

[Argi]

This is left up to the clients - it's their choice if they accept a self-signed cert or just allow it silently.

[+BudMan MVC]

"would use a self-signed certificate to stop government and other agencies from trying to compromise trusted certificate authorities so that they could import the necessary keys into their DPI equipment"

So you believe that agencies are doing man in the middle type attacks where they are decoding SSL traffic between say you and google so they can view your searches or read your email, or see what your doing at your bank? And they are working with such CAs like verisign and such to accomplish this?

That is some serious black helicopter type stuff -- what is your source of information that this is happening? Do they have a page about how the gov also faked the moon landings?

I would be very interesting in seeing the source of such information. And curious how you feel that if the gov/agency was doing this, how the use of a private signed cert would prevent this.

[Glassed Silver]

Self-signing doesn't have to be the all-in-one solution...

Who's to say your client hasn't been tempered with?

If we start being pretty paranoid, why not talk about this, too? :)

Glassed Silver:mac

[+BudMan MVC]

The question in general is valid - how do you validate that the cert your using is the correct one. If your client does not do any sort of testing that hey its a trusted CA, and it is a self signed cert. Then its going to be up to the user to get with the source of where they are trying to connect and verify the cert they are seeing is valid. Many self signers provide method(s) of validation that their CA signed the cert and normally even provide you with details of how to get your client/browser to trust their cert.

Which usenet client are you using - and can look to see how you would go about trusting CA or validation of the cert used in the connection, etc.

The implication of a government conspiracy is what I am more curious about ;)

[+John Teacake MVC]

Budman ... :-p

http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/

https://www.google.co.uk/#hl=en&sugexp=les%3B&gs_nf=1&cp=13&gs_id=5m&xhr=t&q=UTAH+Data+center&pf=p&biw=1920&bih=942&sclient=psy-ab&oq=UTAH+Data+cen&gs_l=&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=acdb78bf04b99564

http://rt.com/news/utah-data-center-spy-789/

http://www.wired.co.uk/magazine/archive/2012/05/features/the-black-box?page=all

http://en.wikipedia.org/wiki/Utah_Data_Center

Oooh it has a Visitors Center! I want to go ... :-D

http://www.forbes.com/sites/andygreenberg/2012/03/16/nsas-new-data-center-and-ultra-fast-supercomputer-aim-to-crack-worlds-strongest-crypto/

Looks like its going to be ready for 2013.

[BGM]

interesting thread... *subscribed*

[+BudMan MVC]

Not seeing any mention of mitm - if they were doing mitm then there would be no need to try and crack AES, cracking the encryption is a whole lot different than working with the CAs so that you don't have too.