11 Sep
2013
11 Sep
'13
2:05 a.m.
Erik Christiansen <dvalin@internode.on.net> writes:
On 10.09.13 15:44, Trent W. Buck wrote:
Turkish intelligence don't need to "crack" TLS; they just get Firefox to trust them by default, then do the normal MITM dance. I don't see why the NSA can't do that, too.
Thanks, Trent, that link is eye-opening!
My SSL fu isn't up to grokking how the cert would initially get onto his machine. Is the extra one sneaked in when firefox is pointed at a boobytrapped https page?
Erm, Firefox ignores the system certificate list and ships its own default list. AIUI, TUBITAK's key is in it, and trusted by default.