[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Ben Laurie ben at links.org
Thu Dec 1 01:01:36 EST 2011


On Thu, Dec 1, 2011 at 5:32 AM, Rose, Greg <ggr at qualcomm.com> wrote:
>
> On 2011 Nov 30, at 17:18 , Lee wrote:
>
>> On 11/30/11, Rose, Greg <ggr at qualcomm.com> wrote:
>>>
>>> On 2011 Nov 30, at 16:44 , Adam Back wrote:
>>>
>>>> Are there really any CAs which issue sub-CA for "deep packet inspection"
>>>> aka
>>>> doing MitM and issue certs on the fly for everything going through them:
>>>> gmail, hotmail, online banking etc.
>>>
>>> Yes, there are. I encountered one in a hotel at Charles de Gaulle airport a
>>> few weeks ago.
>>
>> How did you know there was a MITM if it gave out a valid cert?
>
> I run a wonderful Firefox extension called Certificate Patrol. It keeps a local cache of certificates, and warns you if a certificate, CA, or public key changes unexpectedly. Sort of like SSH meets TLS. As soon as I went to my stockbroker's web site, the warnings started to appear. Then it was just checking IP addresses and stuff.

So ... let's see the cert(s), then!



More information about the cryptography mailing list