[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Nov 30 22:43:00 EST 2011


Nathan Loofbourrow <njloof at gmail.com> writes:
>On Wed, Nov 30, 2011 at 4:47 PM, Rose, Greg <ggr at qualcomm.com> wrote:
>> On 2011 Nov 30, at 16:44 , Adam Back wrote:
>>
>> > Are there really any CAs which issue sub-CA for "deep packet inspection" aka
>> > doing MitM and issue certs on the fly for everything going through them:
>> > gmail, hotmail, online banking etc.
>>
>> Yes, there are. I encountered one in a hotel at Charles de Gaulle airport
>> a few weeks ago.
>
>Yup. Boingo does this. Also, many employers.

Can someone send me a couple of certs (Amazon, Google, whatever) generated by 
one of these MITMs, specifically the full cert chain ("Save as PKCS #7" in the 
cert dialog of most browsers)?  I've got e.g. SonicWall ones where you have to 
trust the SonicWall CA cert, but presumably these are chained to a public CA 
so users don't get warnings, which means the proxies would have to be set up 
with more or less Comodogate-by-design CA certs.

Peter.



More information about the cryptography mailing list