[cryptography] so can we find a public MitM cert sample? (Re: really sub-CAs for MitM deep packet inspectors?)

Adam Back adam at cypherspace.org
Mon Dec 5 17:57:57 EST 2011

I have to say I have my doubts that either Boingo or Sheraton hotels, or
other providers would be doing MitM for advertising/profiling or whatever
reasons to their respective wifi services.  Absent certs showing this, its a
significantly controversial claim, and there are many many reasons you can
see something that appears suspicious at a glance.  Multiple certs for the
same domain (load balancers), legitimately changed certs, different certs
for different server farms in different geographic locations, cert warnings
before you login because of the HTTP intercept, cached/delayed versions of
the previous, localhost anti-spam/anti-virus proxies that are doing
transparent proxying, VPN routing to a MitM corporate box?  There are a lot
of things that can do unexpected things.

I'd be very interested to be proven wrong.  I'll even offer $100 by a
payment means of the (optionally anonymous) posters chosing to the first
person who can send the list (or me offlist if you must) a MitM cert with a
valid cert chain for some form of public internet - wifi, 3g, hotel net etc.

It'd be nice if it wasnt for an SSL service that has a habit of issuing
dozens of legitimate certs to the same domain, with a mix of CAs, with a
huge server farm (that is a bit like proving a negative - how do we know its
not their cert).

It might well be that public MitM if they exist are targetted - so only do
it to some selected/targetted small number of domains.


On Thu, Dec 01, 2011 at 04:26:15PM +0000, Rose, Greg wrote:
>On 2011 Nov 30, at 22:28 , Jon Callas wrote:
>> On Nov 30, 2011, at 9:32 PM, Rose, Greg wrote:
>>> I run a wonderful Firefox extension called Certificate Patrol. It keeps a local cache of certificates, and warns you if a certificate, CA, or public key changes unexpectedly. Sort of like SSH meets TLS. As soon as I went to my stockbroker's web site, the warnings started to appear. Then it was just checking IP addresses and stuff.
>> And I presume you didn't save the cert.
>> Of course, we just need to have people look for these and then save them.
>Yes. I regret that I had much bigger issues at the time than saving the cert. But, honestly, this is just the most recent time I've seen it... usually when traveling. I'm sure it won't be long before someone with more time and inclination than me will see another one.
>sorry about that,
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list