On 2011 Nov 30, at 17:18 , Lee wrote: > On 11/30/11, Rose, Greg <g...@qualcomm.com> wrote: >> >> On 2011 Nov 30, at 16:44 , Adam Back wrote: >> >>> Are there really any CAs which issue sub-CA for "deep packet inspection" >>> aka >>> doing MitM and issue certs on the fly for everything going through them: >>> gmail, hotmail, online banking etc. >> >> Yes, there are. I encountered one in a hotel at Charles de Gaulle airport a >> few weeks ago. > > How did you know there was a MITM if it gave out a valid cert?
I run a wonderful Firefox extension called Certificate Patrol. It keeps a local cache of certificates, and warns you if a certificate, CA, or public key changes unexpectedly. Sort of like SSH meets TLS. As soon as I went to my stockbroker's web site, the warnings started to appear. Then it was just checking IP addresses and stuff. Greg. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography