On 2011-12-02 03:18, Adam Back wrote: [Other aspects of Adam's post elided to be addressed in a different context. My response here focuses exclusively on the very narrow question of corporate MITM SSL proxies]
> 2. corporate LAN SSL MitM (at least the corporation has probably a contract > with all users of the LAN waiving their privacy). Probably even then its > illegal re expectation of privacy in workplace in most contexts in US & > Europe. [...] > Obviously the most interesting ones are 3 & 4. But Peter says he has > evidence 2 (LAN mitm) is going on in the name of deep packet inspection I > guess in corporate LANs and that itself employees should be aware of that. I can't speak to European workplace regulations. Here in the U.S. it is common practice for enterprise environments to employ both inbound and outbound content inspection and filtering, including DLP and extrusion prevention. Those enterprises that do and even most corporate environments that don't will typically have a corporate CA root that automatically gets pushed out via Active Directory to the standard in-house Windows OS distribution. That in-house CA may or may not chain to a public CA. Whether or not such chaining takes place is irrelevant for content-inspection purposes, since the resultant ephemeral destination site SSL server certs are only ever seen in-house. (This is for example how your standard in-house Blue Coat installation works). Note however that there are many reasons why an enterprise may push an in-house root or sub-CA to the desktop that have nothing to do with anybody intercepting content. --Lucky Green _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
