[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Rose, Greg ggr at qualcomm.com
Thu Dec 1 00:32:10 EST 2011


On 2011 Nov 30, at 17:18 , Lee wrote:

> On 11/30/11, Rose, Greg <ggr at qualcomm.com> wrote:
>> 
>> On 2011 Nov 30, at 16:44 , Adam Back wrote:
>> 
>>> Are there really any CAs which issue sub-CA for "deep packet inspection"
>>> aka
>>> doing MitM and issue certs on the fly for everything going through them:
>>> gmail, hotmail, online banking etc.
>> 
>> Yes, there are. I encountered one in a hotel at Charles de Gaulle airport a
>> few weeks ago.
> 
> How did you know there was a MITM if it gave out a valid cert?

I run a wonderful Firefox extension called Certificate Patrol. It keeps a local cache of certificates, and warns you if a certificate, CA, or public key changes unexpectedly. Sort of like SSH meets TLS. As soon as I went to my stockbroker's web site, the warnings started to appear. Then it was just checking IP addresses and stuff.

Greg.




More information about the cryptography mailing list