[Ach] filippo on SSL SMTP encryption

Aaron Zauner azet at azet.org
Thu Apr 2 01:11:06 CEST 2015

Hi Manuel,

Manuel Kraus wrote:
> Having said "killswitch" was not meant to have some best solution to
> fuck with the internet, it was meant to show that some government is
> most possibly willing to actively disturb the internet by whatever
> means. Enforcing suicide on webbrowsers could simply be one out of many
> ways to do it. Maybe there is no need to disturb internet routing
> (complete AS's), if you can disturb visitors accessing their single
> target server with this less invasive (for the network) method. Given
> the assumption, that an attacker does not control all links to the
> target (firewall, traffic shaping does not work) and is not even in the
> vicinity of it, he still can make a semi permanent damage without
> disturbing the network as a whole. Having an active injector for some
> days, covering traffic to a single specific service is a quite low
> effort, while having a huge amount of people not knowing what their
> browsers are up to blocking that site for days or longer as "high gain"
> result.

If I were to target specific sites; why wouldn't I use DNS for that? :)

Yes of course it's possible to do such attack in theory - I don't really
see value in that. This also doesn't mean that because these attacks are
theoretically possible key pinning is a bad idea. In fact it's a far
better idea than anything that is based on DNSSEC has brought up until
now. Also these attacks would be equally valid for any SSH service - I'm
not aware that this has ever been tried in the wild, neither by
researchers nor by governments.

> Mentioning "handwaving": You really can't tell if such an attack
> wouldn't be low effort high gain if it hasn't took place in the wild yet
> and without reflecting about the investment/outcome ratio thereafter.
> And what do you know about how intelligence operations work? I for
> myself have no clue! ;-)

For the last ~8 years I've been reading up on that (yep, that was even
before the whole wikileaks and snowden stuff). Of course I'm not
employed by any intelligence agency nor do I intend to work for one.
It's just interesting. A lot of this information is publicly available
on the internet or in books.

That being said: It's common sense to figure out that it would be just
political suicide to openly subvert the internet or parts of it. No one
in their right mind will acknowledge that without leaks.

I'm not saying it's impossible - but highly unlikely.

> We're going far off here btw.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150402/535bae70/attachment.sig>

More information about the Ach mailing list