[cryptography] RDRAND and Is it possible to protect against malicious hw accelerators?

Marsh Ray marsh at extendedsubset.com
Tue Jun 21 16:15:58 EDT 2011

On 06/21/2011 12:18 PM, Ian G wrote:
> On 18/06/11 8:16 PM, Marsh Ray wrote:
>> On 06/18/2011 03:08 PM, slinky wrote:
>> .... But we know there are still hundreds of
>> "trusted" root CAs, many from governments, that will silently install
>> themselves into Windows at the request of any website. Some of these
>> even have code signing capabilities.
> Hmmm... I'm currently working on a risk analysis of this sort of thing.
> Can you say more about this threat scenario?

I did a blog post about it a while back: http://extendedsubset.com/?p=33

This was about the CNNIC situation, since then we've seen Tunisia MITM 
its citizens and they have a national CA as well.

Basically, MS Windows has a list of "Trusted Root CAs". But the list 
displayed there is actually just a subset of the CAs that are 
effectively trusted. When you browse to a site with a CA not in this 
list, Windows can contact Microsoft and on-the-fly add that cert to your 
trusted root store. Innovative, huh?

- Marsh

More information about the cryptography mailing list