[cryptography] trustwave admits issuing corporate mitm certs
marsh at extendedsubset.com
Sat Feb 25 19:54:43 EST 2012
On 02/25/2012 05:55 PM, John Case wrote:
> When all is said and done, and Jane Doe cube peasant signs away her
> life, and the browsers all look the other way and "every CA is doing it"
> ... after all of that, does Wells Fargo actually consent to your
> bullshit Fortune 30,000 firm monitoring their online banking ?
> I'll bet not. How about eftps.gov ? How about dmv.ca.gov ?
> There are two sides to an SSL transaction ...
I agree with that sentiment.
Still it might be worth pointing that if Wells Fargo really wanted to
forbid a Trustwave network-level MitM, SSL/TLS provides the capability
to enforce that policy at the protocol level. They could configure their
web app to require a client cert (either installed in the browser or
from a smart card).
Would it be free? No.
Would it work in every situation on every weird device anyone ever
wanted to use? No.
Would it protect from malware on the client system? No.
Would it be less convenient for everyone? Yes.
But there are some pretty large deployments out there, which proves that
it is at least possible. B2b and embedded protocols use client certs all
the time. If they were more widely used, they would certainly get easier
So if there are actually effective ways that a web site could disable
Trustwave-style MitM, and the site elects not to deploy them for reasons
that are essentially just cost and convenience, someone might make the
argument that it represents tacit approval.
I don't think I would try to make that argument in the current web
environment today. But maybe we'll see it being made by someone at some
point in the future?
More information about the cryptography