Gov’t, certificate authorities conspire to spy on SSL users?.
SSL is the cornerstone of secure Web browsing, enabling credit card and bank details to be used on the ‘Net with impunity. We’re all told to check for the little padlock in our address bars before handing over any sensitive information. SSL is also increasingly a feature of webmail providers, instant messaging, and other forms of online communication.
Recent discoveries by Wired and a paper by security researchers Christopher Soghoian and Sid Stamm suggests that SSL might not be as secure as once thought. Not because SSL itself has been compromised, but because governments are conspiring with Certificate Authorities, key parts of the SSL infrastructure, to subvert the entire system to allow them to spy on anyone they wish to keep tabs on.
The weaknesses of SSL are well known, which is why people who know anything about security don’t trust Certificate Authorities, but in the past this has just been known as something that governments were probably doing. Now we have the first bit of evidence that they’re actually doing it. I don’t think this will make any difference in the long run–after all, nobody cared when, after years of suspicion, the US government admitted to using cell phones as tracking and listening devices–but hopefully at least a few people will read this and recognize that the government can and does spy on them.