Stories
Slash Boxes
Comments

Dev.SN ♥ developers

Gov Liable if it Fakes Your Website

posted by mrcoolbp on Tuesday March 25 2014, @11:30PM   Printer-friendly
from the drinking-and-spying dept.

Fluffeh writes:

A recent article by The Intercept showed how US and UK intelligence agencies have been impersonating the servers of companies like Facebook. In November, Der Spiegel noted that agencies created "bogus versions" of sites like Slashdot and LinkedIn to plant malware in targets' machines.

Copyright claims brought against the government must be filed in the US Court of Federal Claims, and the subject matter in question must have previously been registered with the Copyright Office-something companies don't typically do for their Web interfaces.

In contrast, under the Lanham Act, the government is expressly liable. The law clearly states, "As used in this paragraph, the term 'any person' includes the United States, all agencies and instrumentalities thereof, and all individuals, firms, corporations, or other persons acting for the United States and with the authorization and consent of the United States."

 
This discussion has been archived. No new comments can be posted.
Gov Liable if it Fakes Your Website | Log In/Create an Account | Top | 1000 moderator points   | 17 comments | Search Discussion
Display Options Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by cbiltcliffe on Saturday March 29 2014, @11:24PM

    by cbiltcliffe (1659) on Saturday March 29 2014, @11:24PM (#23029)

    Using HTTPS to foil the NSA's monitoring would be absolutely useless.
    When the NSA approaches a domestic CA with an NSL, requesting the CA to provide an SSL certificate with your website's name on it, then as far as any visitor is concerned, the NSA site *is* your website, right down to the 100% valid SSL certificate with your name on it.

  • (Score: 2) by c0lo on Sunday March 30 2014, @01:09AM

    by c0lo (156) on Sunday March 30 2014, @01:09AM (#23058)

    requesting the CA to provide an SSL certificate with your website's name on it

    Which comes with a cost - note that I didn't say it cannot be done, I said "raising the cost for NSA of doing so".
    Besides, I guess there exist CA in this world that aren't under US jurisdiction and I still can choose to host my web site outside US.

    Also, the context of this discussion: what could Google or Facebook do if they would try something against NSA impersonating them? Now, question: suppose that Google or Facebook would choose to become CA-es for themselves, do you thing the major browsers would refuse to include the certificates they issue for themselves as "trusted"?
    What is the cost of Google/Facebook doing so? Compare with the cost of suing NSA for a trademark breach.
    What would be the cost for NSA to try twisting Google/Facebook's arms to allow NSA break the trust and setup a MitM?

    • (Score: 1) by cbiltcliffe on Sunday March 30 2014, @12:55PM

      by cbiltcliffe (1659) on Sunday March 30 2014, @12:55PM (#23195)

      The fact that there are CAs outside the US, or you could host outside the US is completely and utterly irrelevant, due to the broken design of the CA/SSL system.
      As long as a single CA exists inside the US that the NSA can coerce, then a certificate can be generated which is trusted by all major browsers, regardless of the fact that you've never used that CA yourself.
      Your choice of CA isn't enforced - isn't even provided to the client - by the SSL negotiation. That's why the breach at DigiNotar a while back was so serious. It didn't just compromise DigiNotar's customers. It compromised the entire SSL system.