Offered as a point of information... I believe the Saudi government uses these technologies to keep their web halal...
https://www.sandvine.com/government-customers On Wed, 11 Sep 2019 at 11:44, D. Hugh Redelmeier via talk <[email protected]> wrote: > | From: Mike via talk <[email protected]> > > | A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate > | TLS with the MITM, and the MITM goes out onto the Internet to > | (separately) negotiate TLS with the site you are trying to connect to. > > Right. > > Your browser must be fooled into thinking that the MITM is the site > you are trying to commect to. > > Lets call the site your are trying to get to "goal.ca". > > The DNS must provide the browser with the MTM's IP address when > resolving "goal.ca" OR the MTM must intercept all traffic for the real > goal.ca. I'd guess that interception is more likely to be successful. > > | However, this means that the MITM needs to provide you a public > | certificate for which it is in possession of the private key. > > And that cert must claim to be for goal.ca. > > | Presumably this is not a certificate whose authenticity can be traced > | to a top-level Certificate Authority (CA) that your browser trusts. > > Right. Any CA that would issue a cert for goal.ca to someone not > associated with goal.ca would find their root certs kicked out of > every browser (it has happened). > > | That should be your detection method. > > In other words, such a cert could not be validated. (Validation happens > through a chain of certificates terminating in a root (self-signed) cert > already known to the browser (seeded by the browser vendor or previously > added by the user). > > | Otherwise, if you're dealing > | with a large, corporate MITM (cough, Zscaler, cough), they might be > | generating / issuing MITM certs on the fly from their issuing CA cert > | which may actually trace to a top-level public CA. > > Wait: is that possible? Why are those CAs not expelled by the browser > "vendors"? > > I must have misunderstood something. > > In <https://en.wikipedia.org/wiki/Zscaler#SSL_traffic_considerations> > > "... and assuming that the user has pre-installed a company root cert > ..." > > DON'T DO THAT. At least not unless you understand the consequences. > > PS: even when successfully using end-to-end TLS, traffic analysis > gives away a lot of the game. A VPN would reduce but not eliminate > that leakage. Few of us realize how effective traffic analysis can > be. > --- > Post to this mailing list [email protected] > Unsubscribe from this mailing list > https://gtalug.org/mailman/listinfo/talk > -- William Porquet, M.A. ‡ mailto:[email protected] ‡ http://www.2038.org/ "It is only with the heart one can see clearly; what is essential is invisible to the eye." - (The Fox) "The Little Prince"
--- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
