![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
jducoeurToday's pointer to Ars Technica is a rather scary article: there is circumstantial reason to believe that governments are spying on secure communications. Read the article for the full details, but suffice it to say that a company turns out to be producing spying hardware that only makes sense to use if governments are either forcing the top-level certificate authorities to hand over certificates, or are simply forging certificates using their own CAs.
Of course, anyone who felt completely confident that the NSA wasn't snooping has been living in a dreamworld. But if I'm reading this correctly, the implications are much more serious: for example, that it would be entirely possible for random governments (eg, China) to create forged credentials that make it *look* like you have a secure online connection, but are actually being snooped. The fraud would be detectable if you know what you're doing, but almost nobody actually clicks that little lock icon in their browser and inspects the signing certificate authority.
Creepy stuff. Don't know if it's been used illicitly (I would agree with Ars that it seems unlikely that it *hasn't* been used in court-ordered spying, but that's the least of my concerns), but it does leave me wondering which government certificate authorities are currently considered "trusted", and whether that makes sense...
Of course, anyone who felt completely confident that the NSA wasn't snooping has been living in a dreamworld. But if I'm reading this correctly, the implications are much more serious: for example, that it would be entirely possible for random governments (eg, China) to create forged credentials that make it *look* like you have a secure online connection, but are actually being snooped. The fraud would be detectable if you know what you're doing, but almost nobody actually clicks that little lock icon in their browser and inspects the signing certificate authority.
Creepy stuff. Don't know if it's been used illicitly (I would agree with Ars that it seems unlikely that it *hasn't* been used in court-ordered spying, but that's the least of my concerns), but it does leave me wondering which government certificate authorities are currently considered "trusted", and whether that makes sense...