[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Ondrej Mikle ondrej.mikle at nic.cz
Sun Dec 4 03:18:06 EST 2011

This thread is amazing. I've known just a fractions/hints of the practices
described here. Few comments/questions inline/below.

On 12/04/11 07:37, Lucky Green wrote:
> Concur. The standard sub-CA contracts contain a right to audit the
> number of certs issued, like any enterprise-wide software license
> agreement does include a right to audit used seats. Not once in over 30
> years have I seen such an audit performed. There is no reason to audit:
> when you buy a sub-CA, the public CA's rep will work out a contract that
> gives you the right to use as many certs and more as you conceivably
> could use given the application to which you plan to put the sub-CAs.
> Keeping count of actual certs issued would only add cost to both the
> sub-CA customer and the root CA provider. There is simply no business
> case for auditing the number of certs issued.

On 12/02/11 11:02, Peter Gutmann wrote:
> It's not just a claim, I've seen them too.  For example I have a cert issued
> for google.com from such a MITM proxy.  I was asked by the contributor not to
> reveal any details on it because it contains the name and other info on the
> intermediate CA that issued it, but it's a cert for google.com used for deep
> packet inspection on a MITM proxy.  I also have a bunch of certs from private-
> label CAs that chain directly up to big-name public CAs, there's no technical
> measure I can see in them anywhere that would prevent them from issuing certs
> under any name.

How do MitM boxes react when they MitM connection to a server with self-signed
cert (or cert issued by an obsure CA not trusted by MitM box)? Do the boxes send
to client also an auto-generated self-signed cert that generates warning or
"re-sign" it so that client sees valid chain?

MitM-re-signing an unverifiable chain of server to a chain that's trusted at the
MitM-ed client would be hilarious, allowing to MitM a MitM box (though this
would be an easily avoidable mistake to make).

Given the state of security/auditing of "private sub-CAs" as described, was
there ever a report of a breach (e.g. stolen key, fraudulently issued certs)?

While chasing data from my scans around, I checked history of few CAs. Most
oddly hilarious "trusted" CA is probably SAIC (Science Applications
International Corporation). Reason: SAIC led the development of Trailblazer
Project for NSA (in my book this tops much-too-obvious CAs of other TLA agencies).
Also, Network Solutions, L.L.C (also a CA) was owned by SAIC at some time.
Later, Network Solutions did not acquire exactly "good guy" reputation.
Don't get me wrong: I'm not claiming either of the mentioned CAs did anything
egregious subverting CA-trust placed in them. I have no intention to single them
out as "shady", additional search would turn up many more CAs.

Hypothetical question: assume enough people get educated how to spot the MitM
box at work/airport/hotel. Let's say few of them post the MitM chains publicly
which point to a big issuing CA. It was said (by Peter I think) that nothing
would likely happen to big issuing CAs (too-big-to-fail). Would the MitM-ing
sub-CAs take the fall? (lose license and invested funds)


More information about the cryptography mailing list