Log in

No account? Create an account
Previous Entry Share Next Entry
Possibility of governments spying (pretty easily) on supposedly-secure communications
Today's pointer to Ars Technica is a rather scary article: there is circumstantial reason to believe that governments are spying on secure communications. Read the article for the full details, but suffice it to say that a company turns out to be producing spying hardware that only makes sense to use if governments are either forcing the top-level certificate authorities to hand over certificates, or are simply forging certificates using their own CAs.

Of course, anyone who felt completely confident that the NSA wasn't snooping has been living in a dreamworld. But if I'm reading this correctly, the implications are much more serious: for example, that it would be entirely possible for random governments (eg, China) to create forged credentials that make it *look* like you have a secure online connection, but are actually being snooped. The fraud would be detectable if you know what you're doing, but almost nobody actually clicks that little lock icon in their browser and inspects the signing certificate authority.

Creepy stuff. Don't know if it's been used illicitly (I would agree with Ars that it seems unlikely that it *hasn't* been used in court-ordered spying, but that's the least of my concerns), but it does leave me wondering which government certificate authorities are currently considered "trusted", and whether that makes sense...

  • 1

Slightly off topic ...

I need to scrounge the link, but the new "smart" controls for the power grid -- the ones your electric utility is probably pressuring you to get -- are quite hackable.

Re: Slightly off topic ...

Shocking -- not. While I approve of the smart-grid initiative in general, this is pretty unsurprising: it is rare for either corporate or government entities to pay enough attention to end-user security...

  • 1