On Jul 21, 2025, at 15:34, Ross Finlayson <finlay...@live555.com> wrote:
>
> First you note that client-side certificates can be used to implement
> snooping.
You misunderstood what I wrote, and I attempted to correct that in the prior
email, which you are now perceiving as me saying two incompatible things.
I will try one more time.
The required setup for a “corporate security gateway” (a.k.a. snooping
middlebox) includes these steps:
1. The middlebox mints a self-signed CA signing certificate.
2. Site IT arranges for its public half to be installed into the root CA trust
stores of all site PCs, mobiles, tablets…
3. Site network admins force all 443 traffic to the middlebox.
When a client in this regime connects to, let us say google.com, the connection
goes to the middlebox, which then *manufactures on the fly* a TLS cert for
google.com, signed by its own CA root cert, causing the client to *mistakenly*
trust that it is talking to Google, because the TLS cert was signed by a CA it
was told to trust by site IT. The client therefore proceeds to issue its HTTP
request.
The middlebox takes that and contacts the actual google.com servers, pulls the
requested URL, inspects the content to determine if it is willing to forward
it, and only then reencrypts it under the bogus google.com certificate it
previously produced. The client trusts this reply for the same reason it
allowed the TLS setup.
Client certificates defeat this scheme for servers that require them, because
the middlebox is unlikely to have copies of both halves of every client-side
cert.
Consider the BYOD case: site IT can demand that all employees put the middlebox
CA cert onto their devices as a precondition to allowing access to the Internet
— limited to approved sites, of course — but while they can _try_ to get the
employee to give up client-side certs for all the apps on that phone as well,
this will not be 100% effective in an organization of any significant size.
One of two things then happens:
1. The middlebox drops the connection because it cannot impersonate the client,
cluing the BYOD owner in that something is hinky.
2. The middlebox passes the connection through without meddling, end user value
triumphing over centralized snooping.
_______________________________________________
live-devel mailing list
live-devel@lists.live555.com
http://lists.live555.com/mailman/listinfo/live-devel
