Linked by davidiwharper on Tue 14th Jan 2014 09:03 UTC
Mozilla & Gecko clones

Mozilla plans to establish an automated process which would verify that binaries contain only the code found in the official source repositories, and not spyware secretly added during the build process at the behest of government intelligence agencies. In a blog post entitled Trust but Verify, CTO Brendan Eich and R&D VP Andreas Gal note that governments "may force service operators [such as Mozilla] to enable surveillance (something that seems to have happened in the Lavabit case)" and pledge to develop systems which will make Firefox resistant to this form of tampering.

Thread beginning with comment 580732
To read all comments associated with this story, please click here.
TLS
by hackus on Wed 15th Jan 2014 05:10 UTC
hackus
Member since:
2006-06-28

Well, one thing I did notice from a number of security conferences si that TLS encryption/authentication seems to give the NSA a lot of trouble.

So this year I am installing TLS all over the place.

-Hack

Reply Score: 3

RE: TLS
by Alfman on Wed 15th Jan 2014 08:55 in reply to "TLS"
Alfman Member since:
2011-01-28

hackus,

"Well, one thing I did notice from a number of security conferences si that TLS encryption/authentication seems to give the NSA a lot of trouble."


TLS foils *passive* monitoring, however it is very likely in my opinion that the NSA has access to several CA root signing keys, if so then it would enable them to construct an *active* monitoring proxy similar to what is described here:

http://www.zdnet.com/how-the-nsa-and-your-boss-can-intercept-and-br...

Since the proxy's certificates are signed by "legitimate" CA keys, ordinary HTTPS users are none the wiser. However my educated guess is that the NSA would only use this technique against targets rather than for blanket surveillance to reduce the risk of getting caught.

I've used a very similar technique with stunnel to be able to use wireshark against encrypted traffic. (using self signed certificates rather than official CA certificates obviously)
https://www.stunnel.org/index.html

Reply Parent Score: 4