On Feb 13, 2012, at 9:34 PM, Benjamin Kreuter wrote: > On Mon, 13 Feb 2012 13:32:48 -0500 > Phillip Hallam-Baker <[email protected]> wrote: > >> What I find wrong with the MITM proxies is that they offer a >> completely transparent mechanism. The user is not notified that they >> are being logged. I think that is a broken approach because the whole >> point of accountability controls is that people behave differently >> when they know they are being watched. >> >> I don't mean just changing the color of the address bar either. I >> would want to see something like the following: >> >> 0) The intercept capability is turned on in the browser, this would be >> done using a separate tool and lock the browser to a specific >> intercept cert root. > > We can already do this; just import the MITM root into the target > browser, and if you want to prevent evasion, disable all other CAs. We > do not currently see such things being done, probably because the > people who want to perform MITM attacks do not want to have to do > anything to the target system that might alert people to the > eavesdropping. Why would they cooperate with a system that informs > users about the eavesdropping, when they already have such an option > available but choose not to use it?
I work for a vendor of such systems. The way our customers use it, is that they generate a CA certificate for their gateway and install the MITM cert in the target browsers. I believe many of them use Microsoft's tools to automatically install on all Windows machines in the domain, but Mac users, Firefox users, Linux users and smartphone users get the scary screens. That is how our product works, and AFAIK the same is true for products with similar functionality from the likes of Blue Coat and Cisco. You might want to look at (the now expired) draft-mcgrew-tls-proxy-server-00, which attempts to find a solutions that informs the client and identifies the proxy. Country-wide surveillence needs other means, and need to get legitimate looking certificates. Yoav _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
