How the NSA, and your boss, can intercept and break SSL by Steven J. Vaughan-Nichols.
From the post:
Is the National Security Agency (NSA) really “wiretapping” the Internet? Accused accomplices Microsoft and Google deny that they have any part in it and the core evidence isn’t holding up that well under closer examination.
Some, however, doubt that the NSA could actually intercept and break Secure-Socket Layer (SSL) protected Internet communications.
Ah, actually the NSA can.
And, you can too and it doesn’t require “Mission Impossible” commandos, hackers or supercomputers. All you need is a credit-card number.
There are many ways to attack SSL, but you don’t need fake SSL certificates, a rogue Certification Authority (CA), or variations on security expert Moxie Marlinspike’s man-in-the-middle SSL attacks. Why go to all that trouble when you can just buy a SSL interception proxy, such as Blue Coat Systems’ ProxySG or their recently acquired Netronome SSL appliance to do the job for you?
Blue Coat, the biggest name in the SSL interception business, is far from the only one offering SSL interception and breaking in a box. Until recently, for example, Microsoft would sell you a program, Forefront Threat Management Gateway 2010, which could do the job for you as well.
There’s nothing new about these services. Packer Forensics was advertising appliances that could do this in 2010. The company is still in business and, while they’re keeping a low profile, they appear to be offering the same kind of devices with the same services.
What would you like to bet the NSA took the most expensive route to a commodity product to break SSL?