--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
On Tue 2015-09-29 12:28:40 -0400, Brad Hill <hill...@gmail.com> wrote:
> The user's computer is the user's computer. It's not really a good use of
> anyone's time and energy to engage in an arms race about whether they are
> allowed to modify their own trust stores. That way lies DRM.
I'm not suggesting that the user be disallowed from modifying their own
trust stores. I'm pointing out that the current standard conflates "i'd
like to trust this additional root X" with "i'd like any site certified
by root CA X to be able to disregard all additional safeguards that
other CAs are subject to."
I think we have to accept and enable MiTM interception by EXPLICIT corporate proxies, carving out an accomodation that allows them to be used, provided we can be clear the the user KNOWS that they are there, and that the privacy of their communications via a Corporate Infrastructures is not absolute (in so far as Local Law allows).
By ALLOWING the interception under specific technical conditions, we can actually make the Users position stronger, and improve defences against unauthorised interception (including transparent MiTM attacks).
As I spend my time at work trying to implement such a proxy (and trying to ensure it can enforce a Corporate Policy about what sites the Internal users are allowed to visit), it strikes me that the standards around HTTP CONNECT are in need of updating. A new response code to inform the user that their connection will not be allowed because of a corporate policy (allowing a link to that Corporate policy to be provided), would be VERY useful - and fills a serious functionality gap in that browsers do not allow such information to accompany an HTTP 403 (or other error code from the Proxy).
The existence of specific codes (and even specific syntax) to support an intercepted version of HTTPS Connect via Explicit proxy could also allow the existence of Interception to be disclosed to the Browser (and so to the User) in a way that would enhance rather then disadvantage their privacy.
WITHOUT this facilitation I find myself installing a new local trusted root, and configuring the proxy to interfere with every HTTP CONNECT request, so that it can insert its own 'fake certificate' in order to be able to send the user an HTTP Redirect within the 'trusted' HTTPS channel so as to provide an explanation of why Corporate Policy prevents the access (and how they can do something about that).
It seems very wrong that I should need to breach privacy in this way, just to give the user a helpful message.
Regards,
Nick
On Wednesday, 30 September 2015 09:18:29 UTC+1, Florian Weimer wrote:On 09/18/2015 12:53 PM, Nick Cullen wrote:
> A number of suppliers offer 'SSL interception' as part of the security
> functionality offered by Corporate Proxy servers with protective Web
> filtering capabilities. These products dynamically sign a 'spoof'
> certificate, using an on-board root cert - which has been added to
> corporate assets as an additional Trusted Root.
And this means that the trust decision, cipher suite selection, etc. has
to happen at the reencrypting proxy, without a good way of signaling
back problems to the original application.
Maybe it's time to revisit this model and replace it with something
technically more reasonable (like session key escrow)?
--
Florian Weimer / Red Hat Product Security
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
CT is not enforced for private trust anchors, so it shouldn't affect them.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Yes, such certificates would be exempt from CT enforcement. It doesn't matter what the domain is, so long as it chains to a private trust anchor.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
It will be very helpful if you could kindly answer the below questions –
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
There is no provision within CT to support what you want. Usually this is done by having “Enterprise” versions of browsers that, for example, blindly accept any certificates from certain configured root CA’s, without enforcing more stringent security requirements on them.