Earlier in the discussion there were questions about why a service provider
would want to MITM their customers. This has now been answered by a service
provider: It's to protect the children. From
http://patrick.seurre.com/?p=42
Three's policy with regards to filtering is intended to
* Adam Back:
Are there really any CAs which issue sub-CA for deep packet inspection aka
doing MitM and issue certs on the fly for everything going through them:
gmail, hotmail, online banking etc.
Such CAs do exist, but to my knowledge, they are enterprise-internal CAs
which are installed on
On 6/12/11 21:52 PM, Florian Weimer wrote:
* Adam Back:
Are there really any CAs which issue sub-CA for deep packet inspection aka
doing MitM and issue certs on the fly for everything going through them:
gmail, hotmail, online banking etc.
Such CAs do exist, but to my knowledge, they are
Yes, Peter said the same, BUT do you think they have a valid cert chain? Or
is it signed by a self-signed company internal CA, and the company internal
CA added to the corporate install that you mentioned... Thats the cut off
of acceptability for me - full public valid cert chain on other
On 6 Dec, 2011, at 3:43 AM, ianG wrote:
The promise of PKI in secure browsing is that it addresses the MITM. That's
it, in a nutshell. If that promise is not true, then we might as well use
something else.
Is it?
I thought that the purpose of a certificate was to authenticate the server
This is already standard practice for malware-laden sites, to
the extent that it's severely affecting things like Google Safe
Browsing and Facebook's link scanner, because Google and Facebook
always get to see benign content and only the end user gets the
malware.
This is the single
d...@geer.org writes:
This is already standard practice for malware-laden sites, to
the extent that it's severely affecting things like Google Safe
Browsing and Facebook's link scanner, because Google and Facebook
always get to see benign content and only the end user gets the
malware.
On Tue, 6 Dec 2011 12:34:37 +0100
Adam Back a...@cypherspace.org wrote:
Kids figure this stuff out getting through site restrictions on
school wifi also. Some schools try to block popular web games.. eg
runescape.
Let us not discourage either the children or the schools! This sounds
like an
On 2011-12-05 14:58, Sandy Harris wrote:
Peter Gutmannpgut...@cs.auckland.ac.nz wrote:
You have to be inside the captive portal to see these blue-pill certs. This
is why various people have asked for samples, because only a select lucky few
will be able to experience them in the wild.
I am
On 12/05/2011 04:21 AM, Lucky Green wrote:
On 2011-12-04 12:09, Ondrej Mikle wrote:
[...]
I re-did the count of CAs whose CRLs had 'CA Compromise' as revocation reason,
about month after Peter Eckersley did. Result was the same (counting trusted
CAs). Plus few others (some seemed to be internal
Ondrej Mikle ondrej.mi...@nic.cz writes:
Matches my observations, especially when looking at CRLs of some small CAs
(company internal). I had a hunch some of those revocations could be due to
CA compromise, but from my point of view it is be only a speculation. I
appreciate sharing your
In general it looks like it's a mixture of it's configurable and it depends
on the vendor (the above only tells you what Bluecoat do). Interesting to
note that the Bluecoat hardware has problems MITM-ing Windows Update, because
Microsoft apply the quite sensible measure of only allowing
This thread is amazing. I've known just a fractions/hints of the practices
described here. Few comments/questions inline/below.
On 12/04/11 07:37, Lucky Green wrote:
Concur. The standard sub-CA contracts contain a right to audit the
number of certs issued, like any enterprise-wide software
Hi,
Hypothetical question: assume enough people get educated how to spot the MitM
box at work/airport/hotel. Let's say few of them post the MitM chains publicly
which point to a big issuing CA. It was said (by Peter I think) that nothing
would likely happen to big issuing CAs
Ondrej Mikle ondrej.mi...@nic.cz writes:
How do MitM boxes react when they MitM connection to a server with self-
signed cert (or cert issued by an obsure CA not trusted by MitM box)?
For one example, see
Hi,
We're actually about to release a little tool that does exactly that,
report the encountered MitM for further scrutiny.
Great! I had some ideas how to implement and spread it, awesome to hear that
that you beat me to it :-)
:) It was actually Kai Engert who made the initial suggestion,
Lucky Green shamr...@cypherpunks.to writes:
If the concern is that employees receive security warnings when accessing in-
house websites, the standard solution is to push out a corporate root via AD,
which is transparent and works quite well.
And once they get AD and/or WSUS ported to OS X and
On 2011-12-04 18:18, Ondrej Mikle wrote:
Hypothetical question: assume enough people get educated how to spot the MitM
box at work/airport/hotel. Let's say few of them post the MitM chains publicly
which point to a big issuing CA. It was said (by Peter I think) that nothing
would likely happen
On 12/04/11 13:08, Peter Gutmann wrote:
Ondrej Mikle ondrej.mi...@nic.cz writes:
How do MitM boxes react when they MitM connection to a server with self-
signed cert (or cert issued by an obsure CA not trusted by MitM box)?
For one example, see
On 2011-12-04 12:09, Ondrej Mikle wrote:
[...]
I re-did the count of CAs whose CRLs had 'CA Compromise' as revocation reason,
about month after Peter Eckersley did. Result was the same (counting trusted
CAs). Plus few others (some seemed to be internal company CAs; but did not
chain
to a
Ondrej Mikle ondrej.mi...@nic.cz writes:
Sorry, my bad. Mismatch in my thinking-editing coordination. Originally I
wanted to ask whether you encountered a breach that was not over all the
news, but a rather localized incident at the places you and Lucky described.
Or heard about one from
Sandy Harris sandyinch...@gmail.com writes:
I am in China. How could I test whether the Great Firewall's packet sniffers
have such a cert.?
I'd be kinda surprised if they did that because it's meant to be surreptitious
and the Great Firewall isn't exactly a state secret. I'd just use the
On Fri, Dec 2, 2011 at 1:07 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
[snip]
OK, so it does appear that people seem genuinely unaware of both the fact that
this goes on, and the scale at which it happens. Here's how it works:
1. Your company or organisation is concerned about the
Well I was aware of RA things where you do your own RA and on the CA side
they limit you to issuing certs belonging to you, if I recall thawte was
selling those. (They pre-vet your ownership of some domains foocorp.com,
foocorpinc.com etc, and then you can issue www.foocorp.com, *.foocorp.com ..
On 2011-12-02 6:33 PM, Adam Back wrote:
To hand over a blank cheque sub-CA cert that could sign gmail.com is
somewhat dangerous. But you notice that geotrust require it to be in a
hardware token, and some audits blah blah, AND more importantly that you
agree not to create certs for domains you
Adam Back a...@cypherspace.org writes:
Start of the thread was that Greg and maybe others claim they've seen a cert
in the wild doing MitM on domains the definitionally do NOT own.
It's not just a claim, I've seen them too. For example I have a cert issued
for google.com from such a MITM proxy.
On Fri, Dec 2, 2011 at 10:02 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Adam Back a...@cypherspace.org writes:
Start of the thread was that Greg and maybe others claim they've seen a cert
in the wild doing MitM on domains the definitionally do NOT own.
It's not just a claim, I've seen
On 12/01/2011 07:45 AM, James A. Donald wrote:
... We have to reconstruct our institutions for third world trust
levels and southern European trust levels. Institutions characteristic
of Europe and the old North America are no longer capable of
functioning,...
as a south European I could
On 2011 Nov 30, at 22:28 , Jon Callas wrote:
On Nov 30, 2011, at 9:32 PM, Rose, Greg wrote:
I run a wonderful Firefox extension called Certificate Patrol. It keeps a
local cache of certificates, and warns you if a certificate, CA, or public
key changes unexpectedly. Sort of like SSH
On 2/12/11 03:26 AM, Rose, Greg wrote:
On 2011 Nov 30, at 22:28 , Jon Callas wrote:
On Nov 30, 2011, at 9:32 PM, Rose, Greg wrote:
I run a wonderful Firefox extension called Certificate Patrol. It keeps a local
cache of certificates, and warns you if a certificate, CA, or public key
On 12/01/2011 11:09 AM, Ben Laurie wrote:
On Thu, Dec 1, 2011 at 4:56 PM, Marsh Rayma...@extendedsubset.com
wrote:
Marsh Ray ma...@extendedsubset.com writes:
Certificate Authority (CA) to Chain to GeoTrust's Ubiquitous Public
Root
[...]
SAN FRANCISCO, RSA CONFERENCE, Feb. 14
February of which year? If it's from this year then they're really late to
the party, commercial CAs have been doing this for
Ben Laurie b...@links.org writes:
They appear to actually be selling sub-RA functionality, but very hard to
tell from the press release.
OK, so it does appear that people seem genuinely unaware of both the fact that
this goes on, and the scale at which it happens. Here's how it works:
1. Your
On Wed, Nov 30, 2011 at 4:47 PM, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 16:44 , Adam Back wrote:
Are there really any CAs which issue sub-CA for deep packet inspection
aka
doing MitM and issue certs on the fly for everything going through them:
gmail, hotmail, online
On 11/30/11, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 16:44 , Adam Back wrote:
Are there really any CAs which issue sub-CA for deep packet inspection
aka
doing MitM and issue certs on the fly for everything going through them:
gmail, hotmail, online banking etc.
Yes, there
Nathan Loofbourrow njl...@gmail.com writes:
On Wed, Nov 30, 2011 at 4:47 PM, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 16:44 , Adam Back wrote:
Are there really any CAs which issue sub-CA for deep packet inspection
aka
doing MitM and issue certs on the fly for everything
ianG i...@iang.org writes:
Is this in anyway a cause for action in contract? Is this a caused for
revocation?
And given that you have to ask the MITM for the revocation information, how
would you revoke such a cert?
And that was Why blacklists suck for validity checks, reason #872 in a series
ianG i...@iang.org writes:
On 1/12/11 15:10 PM, Peter Gutmann wrote:
ianGi...@iang.org writes:
Is this in anyway a cause for action in contract? Is this a caused for
revocation?
And given that you have to ask the MITM for the revocation information, how
would you revoke such a cert?
Wait!
On Thu, Dec 1, 2011 at 5:32 AM, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 17:18 , Lee wrote:
On 11/30/11, Rose, Greg g...@qualcomm.com wrote:
On 2011 Nov 30, at 16:44 , Adam Back wrote:
Are there really any CAs which issue sub-CA for deep packet inspection
aka
doing MitM and
On Nov 30, 2011, at 9:32 PM, Rose, Greg wrote:
I run a wonderful Firefox extension called Certificate Patrol. It keeps a
local cache of certificates, and warns you if a certificate, CA, or public
key changes unexpectedly. Sort of like SSH meets TLS. As soon as I went to my
stockbroker's
Jon Callas j...@callas.org writes:
And I presume you didn't save the cert.
Of course, we just need to have people look for these and then save them.
Cert *chain*, not cert. Save as PKCS #7/Certificate Chain from the browser
dialog.
Peter.
___
If only we at least used passwords to derive secret keys for authentication
protocols that could do channel binding... Sure, that'd still be weak, but
it would be much, much better than what we have now.
Nico
--
___
cryptography mailing list
On 2011-12-01 2:03 PM, ianG wrote:
If a CA is issuing sub-CAs for the purpose of MITMing, is this a reason
to reset the entire CA? Or is it ok to do MITMing under certain nice
circumstances?
It seems our CA system has come to resemble our audit system and our
financial system.
In very white
43 matches
Mail list logo