today’s fun fact:
VeriSign runs the domain name system for the .com and the .net domains.
VeriSign also sells about half of the net’s SSL certificates…
VeriSign can issue a certificate for any one of their customers.
It is claimed that a certificate that is signed by a trusted certificate authority (CA) can protect against the man-in-the-middle (MITM) attack and also domain name spoofing.
So if Alice is protected by a VeriSign cert, it is an easy technical matter for VeriSign to issue a new cert [and also spoof a .com or .net domain] that allows them to MITM the naive and trusting Alice.
[in other words, if you can’t trust the CA, you can’t trust anybody. now for the fun part…]
Due to a bug in the PKI (the public key infrastructure based on x.509 keys that manages keys for SSL), all CAs are equally trusted.
That is, for most internet browsers, there is no firewall between one certificate authority and another, so if you trust VeriSign (and almost all browsers do) they can issue a cert to MITM any other CA-issued cert, and every browser will accept it without saying boo.
in other words, if there’s even one CA in your root list that you can’t trust, then you can’t trust anybody!
[and for the coup de gras, …]
VeriSign provides a managed service to telcos and internet service providers in order to help them handle wiretaps, eavesdropping, and other compliance tasks.
[now, if you are familiar with the bill that mandates intelligence and law enforcement agency access to telcos and internet providers, and consider their relationship with VeriSign and possible use of this service, you will quickly be forced to conclude that the supposed security of ssl encryption based on pki is a total myth.]