[VOIPSEC] Governments employing MiTM attacks against SSL
J. Oquendo
sil at infiltrated.net
Tue Apr 20 11:02:40 CDT 2010
T Biehn wrote:
>
> I was responding to your comment that you're protected against a
> Government ordered CA issued & valid 'intercept cert' because if you
> have 'nothing to hide' you have 'nothing to worry about.'
>
> What context are you in?
>
Then you either misinterpreted what I wrote, or I wasn't specific. In
the event that they're tapping ME... Tap away I have nothing to hide and
if I did, I wouldn't be using electronic communications to hide it.
Go back and read the context of my answer:
> Even if you attempted to be vigilant about EVERY connection you could
> make. Do you honestly and sincerely believe you will be opening
> (manually) every single cert when you visit an HTTPS enabled site? How
> long before you get tired. Even if you did, netsed is a PITA. Do you
> honestly think you could avoid this. You could theoretically try...
> Tunnel into one machine, into another into another... How long before
> you get tired?
>
> If you have zero to hide, you have zero to worry about. The logical
> truth is, so much data need be sifted through, unless - again - you had
> something to hide, the odds of the government using YOUR data from a
> MITM attack is highly unlikely. In fact, you could probably hit the
> Powerball in every state before your data made even a blip on the radar.
The statement in its entirety is geared towards the original document (http://files.cloudprivacy.net/ssl-mitm.pdf) where individuals will complain about being snared in a wiretap. 1) If you have nothing to hide you have nothing to worry about PERIOD. 2) If the gov decides to wiretap your line, they're doing so for a reason like it or not. I highly doubt the government is going to waste time, resources and money for the sake of saying: "Gee I wonder what Oquendo is doing... Let's tap him!" Hell, I'd invite them over any time. Tap away. If the government is doing something unscrupulous (tapping without an order), they'd be in contempt and the taps would be worthless, so what should I worry about.
So again:
Worrier: Oh noes the government is tapping me!
Non-worrier: So what? Its only SSL... I use PGP inside of a stego file + Vanish...
Worrier: Oh noes... The government is tapping me... Disgusting...
Non-worrier: Obviously you worry too much or have little creativity when it comes to hiding information if you needed to.
Worrier: Disgusting...
Non-worrier: Nothing to see here move along
What this entire argument/point-counterpoint has to do with VoIP at this point is beyond me.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
More information about the Voipsec
mailing list