[cryptography] trustwave admits issuing corporate mitm certs

Kevin W. Wall kevin.w.wall at gmail.com
Mon Feb 27 18:17:27 EST 2012


On Mon, Feb 27, 2012 at 6:08 PM, coderman <coderman at gmail.com> wrote:
> On Sat, Feb 25, 2012 at 4:54 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
>>...
>> Still it might be worth pointing that if Wells Fargo really wanted to forbid
>> a Trustwave network-level MitM, SSL/TLS provides the capability to enforce
>> that policy at the protocol level. They could configure their web app to
>> require a client cert (either installed in the browser or from a smart
>> card).
>
> many years ago at $my_old_telco_employer they supported web based call
> monitoring. they required a client side cert purchased from verisign
> specifically for the purpose. we had pages of documentation detailing
> how to generate the request, and add the cert into your browser.
>
> this was the first and only time i had ever used client certificates
> from a CA vendor in such a manner.
>
> mutual authentication... what a concept. is it really that rare?

Very rare for residential consumers; not quite as rare for B2B
transactions. For instance, we reguarly use if for B2B web services
and require it when ILECs or CLECs are retrieving CPNI data.
YMMV depending on your telco.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list