[cryptography] if MitM via sub-CA is going on, need a name-and-shame catalog (Re: really sub-CAs for MitM deep packet inspectors?)

Lucky Green shamrock at cypherpunks.to
Sun Dec 4 00:34:40 EST 2011

On 2011-12-02 03:18, Adam Back wrote:
[Other aspects of Adam's post elided to be addressed in a different
context. My response here focuses exclusively on the very narrow
question of corporate MITM SSL proxies]

> 2. corporate LAN SSL MitM (at least the corporation has probably a contract
> with all users of the LAN waiving their privacy).  Probably even then its
> illegal re expectation of privacy in workplace in most contexts in US &
> Europe.


> Obviously the most interesting ones are 3 & 4.  But Peter says he has
> evidence 2 (LAN mitm) is going on in the name of deep packet inspection I
> guess in corporate LANs and that itself employees should be aware of that.

I can't speak to European workplace regulations. Here in the U.S. it is
common practice for enterprise environments to employ both inbound and
outbound content inspection and filtering, including DLP and extrusion

Those enterprises that do and even most corporate environments that
don't will typically have a corporate CA root that automatically gets
pushed out via Active Directory to the standard in-house Windows OS

That in-house CA may or may not chain to a public CA. Whether or not
such chaining takes place is irrelevant for content-inspection purposes,
since the resultant ephemeral destination site SSL server certs are only
ever seen in-house. (This is for example how your standard in-house Blue
Coat installation works).

Note however that there are many reasons why an enterprise may push an
in-house root or sub-CA to the desktop that have nothing to do with
anybody intercepting content.

--Lucky Green

More information about the cryptography mailing list