Re: Nation State MITM CA's ?
On 21/07/2019 03:21, My1 wrote: Hello everyone, I am new here but also want to share my opinion about some posts here, I know it's a lot of text but I hope it's not too bad. Am Freitag, 19. Juli 2019 23:42:47 UTC+2 schrieb dav...@gmail.com: Wouldn't it be easier to just decree that HTTPS is illegal and block all outbound 443 (only plain-text readable comms are allowed)? Then you would not have the decrypt-encrypt/decrypt-encrypt slowdown from the MITM. if you want to block like half the internet or more which is on the way of HTTPS-only, go ahead. If you don't want to make everyone install a certificate: Issue a double-wildcard certificate (*.*) that can impersonate any site, load it on a BlueCoat system, and sell it to a repressive regime: https://www.dailydot.com/news/blue-coat-syria-iran-spying-software/ Both scenarios end up in the same place: Nobody trusts encryption/SSL or CAs anymore. As far as I remember, certs only allow one wildcard and that only on the very left so they would need at least *.tld and *.common-sub.tld for all eTLDs (*.jp doesnt cover *.co.jp). Also, you say that this is for not wanting everyone to install a certificate. which Trusted CA in their right mind would actually do this? CT is becoming FAR bigger as time goes on and if any CA is catched going and issuing wildcards for public suffixes, that CA would be dead instantly. Also browsers could just drop certificates with *.(public-suffix) entirely and not trust them, no matter the source. I believe this is either done, or easy to add. On Friday, July 19, 2019 at 1:27:17 PM UTC-7, Jakob Bohm wrote: On 19/07/2019 21:13, andrey...@gmail.com wrote: I am confused. Since when Mozilla is under obligation to provide customized solutions for corporate MITM? IMHO, corporations, if needed, can hire someone else to develop their own forks of Chrome/Firefox to do snooping on HTTPS connections. In regular browsers, developed by community effort and with public funds, ALL MiTM certificates should be just permanently banned, no? As others (and I) have mentioned, MitM is also how many ordinary antivirus programs protect users from attacks. The hard part is how to distinguish between malicious and user-helping systems. I fully agree that this is hard but one also needs to be aware that antiviruses while not unhelpful also provide risks by being VERY deep in the system. an unmonitored MITM action by that could end in disastrous results, in the worst case bank phishing could occur since the user cannot verify the certificate via the browser. Hence my breakdown and suggestions below, which seem to agree with yours in most cases. one suggestion I think might be helpful is to have the entire data available, while keeping the HTTPS signature, and there could be a machanism that allows anti-virus software to check content before it is executed/loaded and if needed, put a big "do not execute" flag for certain things like script blocks that are clearly malicious or whatever, and the browser can check the signature that no content has been actually changed, but remove that flagged content, while displaying a notification that content has been blocked. that way anti-viruses could only remove elements but not actually change anything. Am Freitag, 19. Juli 2019 22:23:00 UTC+2 schrieb Jakob Bohm: As someone actually running a corporate network, I would like to emphasize that it is essential that such mechanisms try to clearly distinguish the 5 common cases (listed by decreasing harmfulness). 1. A known malicious actor is intercepting communication (such as the nation state here discussed). 2. An unknown actor is intercepting communication (hard to identify safely, but there are meaningful heuristic tests). 3. A local/site/company network firewall is intercepting communications for well-defined purposes known to the user, such as blocking virus downloads, blocking surreptitious access to malicious sites or scanning all outgoing data for known parts of site secrets (for example the Coca-Cola company could block all HTTPS posts containing their famous recipe, or a hospital could block posts of patient records to unauthorized parties). This case justifies a non-blocking notification such as a different-color HTTPS icon. 4. An on-device security program, such as a local antivirus, does MitM for local scanning between the browser and the network. Mozilla could work with the AV community to have a way to explicitly recognize the per machine MitM certs of reputable AV vendors (regardless of political sanctions against some such companies). For example, browsers could provide a common cross-browser cross-platform API for passing the decoded traffic to local antivirus products, without each AV-vendor writing (sometimes unreliable) plugins for each browser brand and version, while also not requiring browser vendors to write
Re: Nation State MITM CA's ?
On 20/07/2019 09:31, simc...@gmail.com wrote: I think it must be quickly blacklisted by Google, Mozilla and Microsoft all together, because it is known as a state scale MITM affecting citizen "real" life. The purpose of https is being defeated and such companies who tried to improve network security for past decade have to react (yes, security and privacy on which they work on are political). If browser editors do blacklist, citizen will be able to rise against this privacy attack. PS:When a MITM CA is known to be at a company scale, it is not that harmfull imho because citizen still have privacy at home. Note that on a technical level, there is no difference between a (small) company and a home (employees versus family members). A small company to consider would be doctor or lawyer office, handling other people's deepest secrets and under an obligation of secrecy from even the authorities. A large home to consider could be 4 generations living together, with 8 to 10 children and 4 spouses for each in each generation, but in relative poverty. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Nation State MITM CA's ?
Am Sonntag, 21. Juli 2019 03:31:03 UTC+2 schrieb sim...@gmail.com: > I think it must be quickly blacklisted by Google, Mozilla and Microsoft all > together, because it is known as a state scale MITM affecting citizen "real" > life. > > The purpose of https is being defeated and such companies who tried to > improve network security for past decade have to react (yes, security and > privacy on which they work on are political). > If browser editors do blacklist, citizen will be able to rise against this > privacy attack. > > PS:When a MITM CA is known to be at a company scale, it is not that harmfull > imho because citizen still have privacy at home. but the obvious question is what will happen then? force a custom browser upon the users which has this change negated but probably wont get any security updates? Don't get me wrong, this cert needs to be stopped, but this thing is generally not easy. although if operating systems start to block these at system level, then it would be quite a bit harder to enforce such a cert since it isnt as easy to get users to change the entire OS, especially when you cannot just modify windows that easily and if windows software is needed, then the gov would shoot itself in the foot quite a bit, when people cannot work anymore because of this. and especially on iOS which you cannot just quickly replace with something else has quite a big impact potential depending on how large their market share over there is. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Nation State MITM CA's ?
I think it must be quickly blacklisted by Google, Mozilla and Microsoft all together, because it is known as a state scale MITM affecting citizen "real" life. The purpose of https is being defeated and such companies who tried to improve network security for past decade have to react (yes, security and privacy on which they work on are political). If browser editors do blacklist, citizen will be able to rise against this privacy attack. PS:When a MITM CA is known to be at a company scale, it is not that harmfull imho because citizen still have privacy at home. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Nation State MITM CA's ?
It would allow people who are using VPNs and other alternative access strategies to realize that they forgot to turn it on/etc On Friday, July 19, 2019 at 11:26:43 AM UTC-4, muc...@wirade.ru wrote: > Well, then users will just get accustomed to seeing this indication on > corporate sites and will ignore it. > > Regards, > Mucius. > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Nation State MITM CA's ?
Hello everyone, I am new here but also want to share my opinion about some posts here, I know it's a lot of text but I hope it's not too bad. Am Freitag, 19. Juli 2019 23:42:47 UTC+2 schrieb dav...@gmail.com: > Wouldn't it be easier to just decree that HTTPS is illegal and block all > outbound 443 (only plain-text readable comms are allowed)? Then you would > not have the decrypt-encrypt/decrypt-encrypt slowdown from the MITM. if you want to block like half the internet or more which is on the way of HTTPS-only, go ahead. > If you don't want to make everyone install a certificate: > Issue a double-wildcard certificate (*.*) that can impersonate any site, load > it on a BlueCoat system, and sell it to a repressive regime: > https://www.dailydot.com/news/blue-coat-syria-iran-spying-software/ > > Both scenarios end up in the same place: Nobody trusts encryption/SSL or CAs > anymore. As far as I remember, certs only allow one wildcard and that only on the very left so they would need at least *.tld and *.common-sub.tld for all eTLDs (*.jp doesnt cover *.co.jp). Also, you say that this is for not wanting everyone to install a certificate. which Trusted CA in their right mind would actually do this? CT is becoming FAR bigger as time goes on and if any CA is catched going and issuing wildcards for public suffixes, that CA would be dead instantly. Also browsers could just drop certificates with *.(public-suffix) entirely and not trust them, no matter the source. > On Friday, July 19, 2019 at 1:27:17 PM UTC-7, Jakob Bohm wrote: > > On 19/07/2019 21:13, andrey...@gmail.com wrote: > > > I am confused. Since when Mozilla is under obligation to provide > > > customized solutions for corporate MITM? IMHO, corporations, if needed, > > > can hire someone else to develop their own forks of Chrome/Firefox to do > > > snooping on HTTPS connections. > > > > > > In regular browsers, developed by community effort and with public funds, > > > ALL MiTM certificates should be just permanently banned, no? > > > > > > > As others (and I) have mentioned, MitM is also how many ordinary > > antivirus programs protect users from attacks. The hard part is > > how to distinguish between malicious and user-helping systems. I fully agree that this is hard but one also needs to be aware that antiviruses while not unhelpful also provide risks by being VERY deep in the system. an unmonitored MITM action by that could end in disastrous results, in the worst case bank phishing could occur since the user cannot verify the certificate via the browser. one suggestion I think might be helpful is to have the entire data available, while keeping the HTTPS signature, and there could be a machanism that allows anti-virus software to check content before it is executed/loaded and if needed, put a big "do not execute" flag for certain things like script blocks that are clearly malicious or whatever, and the browser can check the signature that no content has been actually changed, but remove that flagged content, while displaying a notification that content has been blocked. that way anti-viruses could only remove elements but not actually change anything. Am Freitag, 19. Juli 2019 22:23:00 UTC+2 schrieb Jakob Bohm: > As someone actually running a corporate network, I would like to > emphasize that it is essential that such mechanisms try to clearly > distinguish the 5 common cases (listed by decreasing harmfulness). > > 1. A known malicious actor is intercepting communication (such as the >nation state here discussed). > > 2. An unknown actor is intercepting communication (hard to identify >safely, but there are meaningful heuristic tests). > > 3. A local/site/company network firewall is intercepting communications >for well-defined purposes known to the user, such as blocking virus >downloads, blocking surreptitious access to malicious sites or >scanning all outgoing data for known parts of site secrets (for >example the Coca-Cola company could block all HTTPS posts containing >their famous recipe, or a hospital could block posts of patient >records to unauthorized parties). This case justifies a non-blocking >notification such as a different-color HTTPS icon. > > 4. An on-device security program, such as a local antivirus, does MitM >for local scanning between the browser and the network. Mozilla could >work with the AV community to have a way to explicitly recognize the >per machine MitM certs of reputable AV vendors (regardless of >political sanctions against some such companies). For example, >browsers could provide a common cross-browser cross-platform API for >passing the decoded traffic to local antivirus products, without each >AV-vendor writing (sometimes unreliable) plugins for each browser >brand and version, while also not requiring browser vendors to write >specific code for each AV product. Maybe the ICAP