Delivery-Date: Mon, 05 Jan 2015 13:18:12 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C210B1E0355
	for <archiver@seul.org>; Mon,  5 Jan 2015 13:18:10 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 628573296A;
	Mon,  5 Jan 2015 18:18:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 822E8326CA
 for <tor-talk@lists.torproject.org>; Mon,  5 Jan 2015 18:18:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lKhQhFbcfz55 for <tor-talk@lists.torproject.org>;
 Mon,  5 Jan 2015 18:18:04 +0000 (UTC)
Received: from na01-by2-obe.outbound.protection.outlook.com
 (mail-by2on0060.outbound.protection.outlook.com [207.46.100.60])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "MSIT Machine Auth CA 2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 5473731DEE
 for <tor-talk@lists.torproject.org>; Mon,  5 Jan 2015 18:18:04 +0000 (UTC)
X-Greylist: delayed 1100 seconds by postgrey-1.34 at eugeni;
 Mon, 05 Jan 2015 18:18:04 UTC
Received: from BY2PR08MB175.namprd08.prod.outlook.com (10.242.39.15) by
 BY2PR08MB173.namprd08.prod.outlook.com (10.242.39.12) with Microsoft SMTP
 Server (TLS) id 15.1.49.12; Mon, 5 Jan 2015 17:44:34 +0000
Received: from BY2PR08MB175.namprd08.prod.outlook.com ([169.254.13.75]) by
 BY2PR08MB175.namprd08.prod.outlook.com ([169.254.13.75]) with mapi id
 15.01.0049.002; Mon, 5 Jan 2015 17:44:34 +0000
From: Michael O Holstein <michael.holstein@csuohio.edu>
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>, "Jacob
 Appelbaum" <jacob@appelbaum.net>
Thread-Topic: [tor-talk] How much of SSL CA protected traffic is read by NSA
 etc. according to...?
Thread-Index: AQHQKPhUF6XPynIzGU+BJS3ZSk3JdpyxxXW0
Date: Mon, 5 Jan 2015 17:44:32 +0000
Message-ID: <1420479966535.77500@csuohio.edu>
References: <54AAA6E4.2010003@whonix.org>
In-Reply-To: <54AAA6E4.2010003@whonix.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [137.148.184.140]
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=michael.holstein@csuohio.edu; 
x-dmarcaction: None
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(3005003);SRVR:BY2PR08MB173;
x-forefront-prvs: 0447DB1C71
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(6009001)(199003)(189002)(106356001)(75432002)(40100003)(105586002)(21056001)(106116001)(66066001)(120916001)(89122001)(107046002)(90282001)(88552001)(99396003)(122556002)(86362001)(64706001)(101416001)(92566001)(20776003)(117636001)(50986999)(54356999)(76176999)(31966008)(4396001)(99286002)(77156002)(62966003)(68736005)(2656002)(87936001)(97736003)(36756003)(19580395003)(2900100001)(2950100001)(15395725005)(15975445007)(46102003)(102836002);
 DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR08MB173;
 H:BY2PR08MB175.namprd08.prod.outlook.com; FPR:; SPF:None; MLV:sfv;
 PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: csuohio.edu does not designate
 permitted sender hosts)
MIME-Version: 1.0
X-OriginatorOrg: csuohio.edu
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2015 17:44:32.2994 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d7f3e79a-943d-4ace-aeab-209030807508
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR08MB173
Cc: Whonix-devel <whonix-devel@whonix.org>
Subject: Re: [tor-talk] How much of SSL CA protected traffic is read by NSA
 etc. according to...?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

>Could you please explain how to interpret Jacob Appelbaum's talk at 31c3? [1]

From all the various documents they have collected it's fair to say that at the present time, barring non-technical methods (http://xkcd.com/538/) .. the only applications they have seen reported as "no intercept available" are OTR(*) and PGP.

>Is (almost) all traffic that is protected by the usual SSL CA's browser
>encryption being monitored by NSA and friends?

Although he doesn't say it directly (this time) I think it's safe to assume the answer is "yes" .. there have been notable thefts of keysigning material from commercial CA's by non-government criminal groups. To assume the three-letter folks don't also engage in such endeavors is foolish at best.

Note that they'd really only need command of *one* CA that is trusted to pull it off (see also the trick that corporate web appliances use to transparently intercept SSL) .. although that would make them likely to get caught at it. 

(*) : OTR uses DH with PFS and a short temporal keylife, so not all that different that some of the non-default (ha ha NSA) IKE proposals. Granted, due to laziness most businesses don't apply ultra-paranoid configurations to their VPN tunnels because it affects performance and confuses the other guy .. but I'm curious if *properly configured* IPSEC similarly suffers.


Cheers,

Michael Holstein
Cleveland State University

PS: Jacob, thank-you as always for everything you do.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

