IETF Logo Mail Archive

Re: [therightkey] Basically, it's about keeping the CAs honest

Yoav Nir <ynir@checkpoint.com> Mon, 13 February 2012 20:20 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E7A21F875B for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 12:20:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.468
X-Spam-Level:
X-Spam-Status: No, score=-10.468 tagged_above=-999 required=5 tests=[AWL=0.131, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80k+iUEcGRpj for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 12:20:44 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 8A74D21F8712 for <therightkey@ietf.org>; Mon, 13 Feb 2012 12:20:40 -0800 (PST)
X-CheckPoint: {4F396CCA-3-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q1DKKcss028340; Mon, 13 Feb 2012 22:20:38 +0200
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 13 Feb 2012 22:20:38 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Mon, 13 Feb 2012 22:20:37 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Benjamin Kreuter <brk7bx@virginia.edu>
Date: Mon, 13 Feb 2012 22:20:36 +0200
Thread-Topic: [therightkey] Basically, it's about keeping the CAs honest
Thread-Index: AczqjPKWEJKCK4FbSimzABSuzsqNsg==
Message-ID: <5A52FE60-93C4-4DBE-AE0E-46B2E11C9B98@checkpoint.com>
References: <201202131636.q1DGafVR006049@fs4113.wdf.sap.corp> <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org> <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com> <20120213143416.4d8cde32@terabyte>
In-Reply-To: <20120213143416.4d8cde32@terabyte>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Cc: "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 20:20:46 -0000

On Feb 13, 2012, at 9:34 PM, Benjamin Kreuter wrote:

> On Mon, 13 Feb 2012 13:32:48 -0500
> Phillip Hallam-Baker <hallam@gmail.com> wrote:
> 
>> What I find wrong with the MITM proxies is that they offer a
>> completely transparent mechanism. The user is not notified that they
>> are being logged. I think that is a broken approach because the whole
>> point of accountability controls is that people behave differently
>> when they know they are being watched.
>> 
>> I don't mean just changing the color of the address bar either. I
>> would want to see something like the following:
>> 
>> 0) The intercept capability is turned on in the browser, this would be
>> done using a separate tool and lock the browser to a specific
>> intercept cert root.
> 
> We can already do this; just import the MITM root into the target
> browser, and if you want to prevent evasion, disable all other CAs.  We
> do not currently see such things being done, probably because the
> people who want to perform MITM attacks do not want to have to do
> anything to the target system that might alert people to the
> eavesdropping. Why would they cooperate with a system that informs
> users about the eavesdropping, when they already have such an option
> available but choose not to use it?

I work for a vendor of such systems. The way our customers use it, is that they generate a CA certificate for their gateway and install the MITM cert in the target browsers.

I believe many of them use Microsoft's tools to automatically install on all Windows machines in the domain, but Mac users, Firefox users, Linux users and smartphone users get the scary screens. That is how our product works, and AFAIK the same is true for products with similar functionality from the likes of Blue Coat and Cisco.

You might want to look at (the now expired) draft-mcgrew-tls-proxy-server-00, which attempts to find a solutions that informs the client and identifies the proxy.

Country-wide surveillence needs other means, and need to get legitimate looking certificates.

Yoav

v2.23.0 | Report a Bug | By Email