Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL

20 Pages Posted: 18 Apr 2010

See all articles by Christopher Soghoian

Christopher Soghoian

Yale University - Yale Information Society Project

Sid Stamm

affiliation not provided to SSRN

Date Written: April 16, 2010

Abstract

This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications. Although we do not have direct evidence that this form of active surveillance is taking place in the wild, we show how products already on the market are geared and marketed towards this kind of use - suggesting such attacks may occur in the future, if they are not already occurring. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.

Keywords: privacy, security, government surveillance

Suggested Citation

Soghoian, Christopher and Stamm, Sid, Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL (April 16, 2010). Available at SSRN: https://ssrn.com/abstract=1591033 or http://dx.doi.org/10.2139/ssrn.1591033

Christopher Soghoian (Contact Author)

Yale University - Yale Information Society Project ( email )

127 Wall Street
New Haven, CT 06511
United States

Sid Stamm

affiliation not provided to SSRN ( email )

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
605
Abstract Views
10,140
Rank
87,152
PlumX Metrics