On Thu, Oct 23, 2014 at 02:30:59PM -0700, John Nagle wrote:
> On 10/23/2014 02:00 PM, Richard Barnes wrote:
>    You're probably right.  What Cloudflare provides by default is
> "Flexible SSL", in which Cloudflare acts as a MITM:

Cloudflare acts as a MITM for *all* SSL modes -- because it needs to see the
content to work its mojo.  Even with keyless SSL, Cloudflare's still seeing
the content in the clear.  I'm wondering how any bank or other institution
dealing with financial data would consider that OK, but I'm not in that
business...

/me shoves the bundles of bills further under the mattress

>   It's a form of security theater.  Just enough to turn on the lock
> icon.

Hey, it means the NSA has to watch less wires, right?  Just watch the
traffic coming out of Cloudflare's facilities to the origin servers!

>    For policy, here are the current CA/Browser Forum baseline
> requirements.
> 
> https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf
> 
>    The cert being discussed here has an Organization
> field (O) of "Cloudflare, Inc." Per section 9.2.4(a),
> "If present, the subject:organizationName field MUST contain either
> the Subject’s name or DBA as verified under Section 11.2".
> 
>    The issue here is that the cert contains domain names who
> are not the Subject of the certificate.

That's not what the BRs are requiring, though.  The O field must list the
organization to whom the certificate was issued (and, presumably, that must
be the organization which is operating the endpoint to which the TLS
connection is established, although that's not as clear-cut).  The BRs
*don't* require that the serverAltNames listed in the certificate are owned
by the organization listed in the certificate.

>    There's no reason to do this any more.  We have TLS now.

Again, s/TLS/SNI/?

- Matt

-- 
I seem to have my life in reverse. When I was a wee'un, it seemed perfectly
normal that one could pick up the phone and speak to anybody else in the
world who also has a phone. Now I'm older and more experienced, I'm amazed
that this could possibly work. -- Peter Corlett, in the Monastery

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to