The researchers – Chris Soghoian and Sid Stamm – have published a paper that describes a simple server-based appliance, which could be marketed to law enforcement and intelligence agencies, that uses bogus SSL ertificates allegedly issued by co-operative certificate authorities.
Used in the right configuration, the two researchers claim that the surveillance server can be used to stage a 'man-in-the-middle' eavesdropping session on encrypted web traffic.
This is not just a theoretical idea, Infosecurity notes, as the researchers claim that a system box has already been developed that performs the required process and is being supplied to government agencies in the US.
According to Matt Blaze, a computer science professor with the University of Pennsylvania, the existence of the system box "indicates the vulnerability is likely being exploited by more than just information-hungry governments."
In his security blog, Blaze notes that, from the perspective of a law enforcement or intelligence agency, this sort of surveillance is far from ideal.
"A central requirement for most government wiretapping... is that surveillance be undetectable. But issuing a bogus web certificate carries with it the risk of detection by the target, either in real-time or after the fact, especially if it's for a web site already visited", he said.
"Although current browsers don't ordinarily detect unusual or suspiciously changed certificates, there's no fundamental reason they couldn't – and the Soghoian/Stamm paper proposes a Firefox plugin to do just that", he added.
"In any case, there's no reliable way for the wiretapper to know in advance whether the target will be alerted by a browser that scrutinizes new certificates."