[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Adam Back adam at cypherspace.org
Tue Dec 6 06:57:25 EST 2011


Yes, Peter said the same, BUT do you think they have a valid cert chain?  Or
is it signed by a self-signed company internal CA, and the company internal
CA added to the corporate install that you mentioned...  Thats the cut off
of acceptability for me - full public valid cert chain on other peoples
domains for MitM thats very bad.  Internal cert chain via adding cert to
browser - corporate can go for it, its their network, their equipment to
install software on!

(Bearing in mind its the corporate intention to keep other people off their
network with firewalls, network auth etc).  One claim by Lucky if I recall
is that the new trend in bring your own device (iphone, android, ipad etc)
starts to cause a conflict - becomes complicated for the corporate to expect
to install certs into all those browsers.  They no longer control the OS/app
install.

I think thats true - but in effect if your environment is that security
conscious, you probably should not be allowing BYOD anyway - who knows what
malware is on it, bypassing your egress is completely _trivial_ with
software, or even just config of software.  And anyway since when does your
minor inconvenience of installing certs authorize you or CAs to subverting
the SSL guarantee and other people's security.  Even people who have
internal CAs for certification SHOULD NOT be abusing them for MitM.

Adam

On Tue, Dec 06, 2011 at 10:52:43AM +0000, Florian Weimer wrote:
>* Adam Back:
>
>> Are there really any CAs which issue sub-CA for "deep packet inspection" aka
>> doing MitM and issue certs on the fly for everything going through them:
>> gmail, hotmail, online banking etc.
>
>Such CAs do exist, but to my knowledge, they are enterprise-internal CAs
>which are installed on corporate devices, presumably along with other
>security software.  Even from a vendor point of view, this additional
>installation step is desirable because it fits well with a per-client
>licensing scheme, so I'm not sure what the benefit would be to get a
>certificate leading to one of the public roots.
>
>-- 
>Florian Weimer                <fweimer at bfk.de>
>BFK edv-consulting GmbH       http://www.bfk.de/
>Kriegsstraße 100              tel: +49-721-96201-1
>D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the cryptography mailing list