[cryptography] RDRAND and Is it possible to protect against malicious hw accelerators?
marsh at extendedsubset.com
Tue Jun 21 16:15:58 EDT 2011
On 06/21/2011 12:18 PM, Ian G wrote:
> On 18/06/11 8:16 PM, Marsh Ray wrote:
>> On 06/18/2011 03:08 PM, slinky wrote:
>> .... But we know there are still hundreds of
>> "trusted" root CAs, many from governments, that will silently install
>> themselves into Windows at the request of any website. Some of these
>> even have code signing capabilities.
> Hmmm... I'm currently working on a risk analysis of this sort of thing.
> Can you say more about this threat scenario?
I did a blog post about it a while back: http://extendedsubset.com/?p=33
This was about the CNNIC situation, since then we've seen Tunisia MITM
its citizens and they have a national CA as well.
Basically, MS Windows has a list of "Trusted Root CAs". But the list
displayed there is actually just a subset of the CAs that are
effectively trusted. When you browse to a site with a CA not in this
list, Windows can contact Microsoft and on-the-fly add that cert to your
trusted root store. Innovative, huh?
More information about the cryptography