Il 12/8/13, 5:14 PM, andrew cooke ha scritto: > Google detected it and informed the French - > http://googleonlinesecurity.blogspot.com/2013/12/further-improving-digital-certificate.html > > Despite it being used on a private network, and with user consent, it is > reportedly a violation of procedures. Google classify it as a "serious > breach". The fact that the serious breach happened "on a private network with user consent" it's a self-declaration coming from the ANSSI itself.
IMHO having in the browser's root certificates a governmental's CA that's known to engage in fake-certificate issuing for SSL inspection represent a serious breach of trust. As a comparison Commercial CA's like GlobalSign, for Trusted Root businesses, it's explicitly forbidden to do content-inspection proxy: "Trusted Root is a select service with strict requirements. Trusted Root is both technically and contractually prohibited from being used for deep packet inspection/scanning of outbound/inbound HTTPS traffic. " https://www.globalsign.com/certificate-authority-root-signing/ While for a Governmental CA, in the same browser's trusted root CA list, it's OK to do so? -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
