[cryptography] trustwave admits issuing corporate mitm certs

Andy Steingruebl andy at steingruebl.com
Sun Feb 26 10:34:34 EST 2012


On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray <marsh at extendedsubset.com> wrote:

>
> Still it might be worth pointing that if Wells Fargo really wanted to
> forbid a Trustwave network-level MitM, SSL/TLS provides the capability to
> enforce that policy at the protocol level. They could configure their web
> app to require a client cert (either installed in the browser or from a
> smart card).
>
>
Maybe though you meant this specific type of "non-malicious" MiTM and the
problem is we don't have a name for that right now.

If you meant all MiTM though, your solution only only stops attackers who
wants to make it look like you're interacting with the real site, not one
who merely wishes to steal your data.  In that case they don't have to talk
to the real wells-fargo website :)

This is exactly why some people are pushing so hard for protocols that get
"exclusion" including things like CA-Pinning in Chrome, CAA, etc...

- Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120226/c2ef1945/attachment.html>


More information about the cryptography mailing list