Maciej Soltysiak via HTTPS-Everywhere writes: > Hi, > > My company is implementing blue coat intercepting proxy to scan for malware. > The proxy intercepts TLS connections, on-the-fly generates a cert and does > MITM. > The clients are supposed to have certs installed to be fooled by the proxy. > > Now, in Firefox, I installed the certs of the decryptor, installed HTTPS > Everywhere, enabled SSL Observatory, asked it to check certs even if not on > Tor and have: > * Submit and check self-signed cerst > * Submit and check certificates signed by non-standard root CAs. > > I would've expected SSL Observatory to warn me that my connection is > tampered with, yet it doesn't. > > Any advice, please? Are the SSL Observatory checks using the firefox proxy > settings?
Hi Maciej, The SSL Observatory's warning feature, as far as I know, requires a manual action by the HTTPS Everywhere developers, and has so far never been activated. That is, so far the functionality of the Observatory has been limited to passively collecting data. The Observatory does accept reports of certificates issued by intercepting proxies and many such reports exist in the database. This might eventually contribute to some kinds of research about these proxies. Warning people about corporate MITM proxies is a difficult problem which has been debated extensively by browser developers. The biggest part of the problem is that the people deploying these proxies very commonly control the endpoints, so if browsers or extensions warned people about the MITM certificates in a way that the organizations disliked, they could eventually disable the warnings or forbid use of that software. (Of course, the exact level of technical control that they exercise over endpoints is different from organization to organization.) If HTTPS Everywhere did try to warn about every apparently-misissued certificate from a non-publicly-trusted root, it would have to warn about _every_ certificate from such roots, which means every user whose browser had added a root certificate would receive a warning about every site (even internal organizational sites, where the certificates are not, in fact, misissued or intended to facilitate interception). I'm not sure this feature would be very useful, but if you think that's what users may expect, we could consider changing how the options are described within the user interface. -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
