[cryptography] trustwave admits issuing corporate mitm certs

Marsh Ray marsh at extendedsubset.com
Sat Feb 25 19:54:43 EST 2012


On 02/25/2012 05:55 PM, John Case wrote:
>
> When all is said and done, and Jane Doe cube peasant signs away her
> life, and the browsers all look the other way and "every CA is doing it"
> ... after all of that, does Wells Fargo actually consent to your
> bullshit Fortune 30,000 firm monitoring their online banking ?
>
> I'll bet not. How about eftps.gov ? How about dmv.ca.gov ?
>
> There are two sides to an SSL transaction ...

I agree with that sentiment.

Still it might be worth pointing that if Wells Fargo really wanted to 
forbid a Trustwave network-level MitM, SSL/TLS provides the capability 
to enforce that policy at the protocol level. They could configure their 
web app to require a client cert (either installed in the browser or 
from a smart card).

Would it be free? No.

Would it work in every situation on every weird device anyone ever 
wanted to use? No.

Would it protect from malware on the client system? No.

Would it be less convenient for everyone? Yes.

But there are some pretty large deployments out there, which proves that 
it is at least possible. B2b and embedded protocols use client certs all 
the time. If they were more widely used, they would certainly get easier 
to deploy.

So if there are actually effective ways that a web site could disable 
Trustwave-style MitM, and the site elects not to deploy them for reasons 
that are essentially just cost and convenience, someone might make the 
argument that it represents tacit approval.

I don't think I would try to make that argument in the current web 
environment today. But maybe we'll see it being made by someone at some 
point in the future?

- Marsh



More information about the cryptography mailing list