On 2011-12-02 03:18, Adam Back wrote:
[Other aspects of Adam's post elided to be addressed in a different
context. My response here focuses exclusively on the very narrow
question of corporate MITM SSL proxies]
> 2. corporate LAN SSL MitM (at least the corporation has probably a contract
> with al
ianG writes:
>PS; we need a better name than DPI MITM. For some reason I'm thinking of WITM.
Given that the whole reason for doing this silly-walk in the first place was to
protect us against MITMs, I wouldn't use WITM, I'd call it a WTFITM.
Peter.
___
Wifebeating syndrome :) I was aware of the claim of MITMing, but nobody
offered proof and it sort of faded away under the cover of NDAs.
Just on that above: Back in 2005, 2006 or so when the Mozilla policy was
being written, allegations surfaced that two CAs were practicing MITMing
as a bus
ianG writes:
>Wifebeating syndrome :) I was aware of the claim of MITMing, but nobody
>offered proof and it sort of faded away under the cover of NDAs.
You do need to distinguish between CAs issuing sub-CA certs (not for MITM but
for businesses who need them) and DPI MITM certs. It's the sub-C
> Whoever said security by obscurity doesn't work? Must have been
> on something.
Obscurity works for the offense.
--dan
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
> On 3/12/11 03:36 AM, Ben Laurie wrote:
>> On Fri, Dec 2, 2011 at 4:14 PM, ianG wrote:
>>> On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time then
you'd be out for blood, but if you've been aware of this it going on for
That vast numbers of private label CAs exist that could perform man in
the middle attacks is disturbing, but not newsworthy.
That some pseudonymous guy on the internet says that they do perform man
in the middle attacks is disturbing, but not newsworthy.
Proof of a man in the middle attack, i
On Fri, Dec 2, 2011 at 2:00 PM, ianG wrote:
> On 3/12/11 03:36 AM, Ben Laurie wrote:
>>
>> On Fri, Dec 2, 2011 at 4:14 PM, ianG wrote:
>>>
>>> On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time
then
you'd be out for b
On 3/12/11 03:36 AM, Ben Laurie wrote:
On Fri, Dec 2, 2011 at 4:14 PM, ianG wrote:
On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time then
you'd be out for blood, but if you've been aware of this it going on for
more
than a decade the
Some random chiming in...
On 2011 Dec 2, at 5:00 , Adam Back wrote:
> On Sat, Dec 03, 2011 at 01:00:14AM +1300, Peter Gutmann wrote:
>> I was asked not to reveal details and I won't,
>
> Of course, I would do the same if so asked. But there are lots of people on
> the list who have not obtaine
On Fri, Dec 2, 2011 at 4:14 PM, ianG wrote:
> On 2/12/11 23:00 PM, Peter Gutmann wrote:
>>
>> I guess if you're running into this sort of thing for the first time then
>> you'd be out for blood, but if you've been aware of this it going on for
>> more
>> than a decade then it's just business as us
On 3/12/11 03:14 AM, ianG wrote:
... Except, *natural person* rights can't be *reliably* contracted away.
oops, fix bloopers. wish we had time to be lawyers too...
iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit
On 2/12/11 23:00 PM, Peter Gutmann wrote:
I guess if you're running into this sort of thing for the first time then
you'd be out for blood, but if you've been aware of this it going on for more
than a decade then it's just business as usual for commercial PKI. I'm
completely unfazed by it, it's
Adam Back writes:
>I wonder what that even means. *.com issued by a sub-CA? that private key
>is a massive risk if so! I wonder if a *.com is even valid according to
>browsers. Or * that would be funny.
No idea, but remember that it's not "general-purpose browsers", it's
"cellphone browsers
I wonder what that even means. *.com issued by a sub-CA? that private key
is a massive risk if so! I wonder if a *.com is even valid according to
browsers. Or * that would be funny.
Adam
On Sat, Dec 03, 2011 at 02:24:53AM +1300, Peter Gutmann wrote:
Adam Back writes:
[WAP wildcard certs]
Adam Back writes:
>[WAP wildcard certs]
>
>That is bad. Are you saying there is anyone doing SSL mitm for stream
>compression reasons? Who?
The use of wildard certs in WAP gateways came up from the SSL Observatory
work... hmm, there's at least a mention of it in "An Observatory for the
SSLiver
On Sat, Dec 03, 2011 at 01:00:14AM +1300, Peter Gutmann wrote:
I was asked not to reveal details and I won't,
Of course, I would do the same if so asked. But there are lots of people on
the list who have not obtained information indirectly, with confidentiality
assurances offered, and for them
Adam Back writes:
>a public MitM proxy? Or a corporate LAN.
Private organisation.
>That intermediate CA needs publishing, and the CA that issued it.
I was asked not to reveal details and I won't, but in any case I don't know
whether it would achieve much. For the case of a public CA doing
Now we're getting somewhere. If this is going on even the policy
enforcement aspect of CAs is broken... CAs are subverting their own
certification practice statement. The actions taken by the user of the
sub-CA cert are probably illegal also in the US & europe where there are
expectations of pr
19 matches
Mail list logo
