Re: Hello from Mozilla

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Thu, 30 Jul 2009 08:56:09 +0200

tor 2009-07-30 klockan 10:26 +1000 skrev Robert Collins:

> In corporate networking, TLS MITM is a 'feature': company signed
> certificates are used to sign the TLS connection to the corporate
> firewall, and the firewall validate the SSL connection to the outside
> world. I haven't personally used this, so can't really say much more
> about it. Squid's ssl-bump feature can be used for this, but I believe
> browser config is needed (again on a corporate basis) to tell it that
> this is expected.

Squid ssl-bump isn't yet very polished, but also far from alone in doing
this. It is a fairly common thing in large corporations.

The configuration needed for this SSL interception thing to run smoothly
(in the eyes of users browsing https) is apart from the middleman doing
it that the corporation adds a private CA to the browsers list of
accepted CAs. Once that is done the corporation can freely spoof
certificates for any server, completely breaking SSL end-to-end in ways
the X.509 trust model is supposed to prevent.. but also throwing
certificate based client authentication out the window as this requires
end-to-end.

In essence the level of trust you can place in SSL without manually
inspecting each received certificate is the least amount of trust you
have in any of the CAs installed in your browsers list of universally
trusted CAs and all their CA delegations, official and unofficial..

Regards
Henrik
Received on Thu Jul 30 2009 - 06:56:32 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 30 2009 - 12:00:09 MDT