[cryptography] trustwave admits issuing corporate mitm certs

coderman coderman at gmail.com
Mon Feb 27 18:08:43 EST 2012


On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
>...
> Still it might be worth pointing that if Wells Fargo really wanted to forbid
> a Trustwave network-level MitM, SSL/TLS provides the capability to enforce
> that policy at the protocol level. They could configure their web app to
> require a client cert (either installed in the browser or from a smart
> card).

many years ago at $my_old_telco_employer they supported web based call
monitoring. they required a client side cert purchased from verisign
specifically for the purpose. we had pages of documentation detailing
how to generate the request, and add the cert into your browser.

this was the first and only time i had ever used client certificates
from a CA vendor in such a manner.

mutual authentication... what a concept. is it really that rare?



More information about the cryptography mailing list