[cryptography] trustwave admits issuing corporate mitm certs

Thierry Moreau thierry.moreau at connotech.com
Mon Feb 13 13:22:31 EST 2012


Harald Hanche-Olsen wrote:
> [Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]
> 
> 
>> (2) Did the other end of the SSL/TLS tunnel also agree to be monitored?
> 
> Rhetorical question? The obvious answer is "no".
> 

Typically, the other end is a protocol entity in the server role in the
SSL/TLS connection.

If the server agrees to communicate with an unauthenticated client, well
that's it. The "monitoring" here may not even be present by definition.

As a server operator, do I have any legitimacy in expecting your
firewall to abstain from an application-layer proxy/gateway function for
my content? After all, your firewall may be operated willfully by the
very end-user which I declined to authenticate.

My secure server project simply does not accept connections from
unauthenticated clients, which implies a client public/private key pair.
You are either serious about security, or you are not.

If you willfully establish a firewall configured with your private key
credentials, then the firewall could be seen by my server as if it was
your controlled environment. But that was your decision in the first place.

Generally, end-users were victims of browser suppliers who made the
management of trusted CA certificates very challenging. Insecure from
day 1! Had the chain of trust (up to the root CA) been meaningfully
displayed to the end-user (upon a right click menu item) for "secure"
contents, the corporate mitm certificates would have been easily
identified. Additionally, it should be easy to disable a root CA
certificate when shown to be the current basis of trust for some content.


-- 
- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691




More information about the cryptography mailing list