[SSL Observatory] New bad Google MITM cert

Ralf Skyper Kaiser skyper at thc.org
Tue Dec 10 03:46:19 PST 2013 

Hi,

This is a guess and just a guess: The Ministry of Finance/France installed
an SSL Proxy to inspect all SSL traffic (read: spy on its employees).
(Google hopefully will release more infos of how they found out about the
cert)

Spying on employees is illegal under EU law (in general) regardless if the
employee agrees to it in the employment contract or not. (Unless under
certain circumstances. I do not know if they were met here. The EU
Comission is the right body to investigate this).

The quote from the ANSSI statement does not make sense (technically) and
looks like a failed PR attempt.

regards,

skyper



On Tue, Dec 10, 2013 at 11:34 AM, Larry Seltzer <larry at larryseltzer.com>wrote:

>  ANSSI responded several days ago (
> http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html),
> but someone’s going to have to explain to me how their explanation is
> possible:
>
>
>
> “As a result of a human error which was made during a process aimed at
> strengthening the overall IT security of the French Ministry of Finance,
> digital certificates related to third-party domains which do not belong to
> the French administration have been signed by a certification authority of
> the DGTrésor (Treasury) which is attached to the IGC/A.”
>
>
>
> I can maybe understand how an intermediate CA cert was made as part of
> some test, but using it to sign foo.google.com or whatever, and putting
> all this online… Someone make this clearer for me
>
>
>
>
> *Larry J Seltzer *larry at larryseltzer.com
> (973) 378-8728
> Follow Me On Twitter: @lseltzer
>
>
>
> On Sat, Dec 7, 2013 at 10:05 PM, Seth Schoen <schoen at eff.org> wrote:
>
>
> http://googleonlinesecurity.blogspot.com/2013/12/further-improving-digital-certificate.html
>
> They caught it with pinning.  I wonder if we have a sample; it sounds
> like it was an extremely small-scale attack (a single organization got
> an intermediate chaining to a publicly-trusted root in order to spy on
> employees with its firewall?).  If that was the entire scope of it,
> it's relatively unlikely that anyone in that organization is sending
> observations to us, maybe depending on how large the organization is
> and whether they prevent desktop users from installing third-party
> software.
>
> --
> Seth Schoen  <schoen at eff.org>
> Senior Staff Technologist                       https://www.eff.org/
> Electronic Frontier Foundation                  https://www.eff.org/join
> 815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/observatory/attachments/20131210/5df64b04/attachment.html>

More information about the Observatory mailing list