Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] French Government doing SSL MITM

Fabio Pietrosanti (naif) lists at infosecurity.ch
Sun Dec 8 09:13:37 PST 2013


Il 12/8/13, 5:14 PM, andrew cooke ha scritto:
> Google detected it and informed the French -
> http://googleonlinesecurity.blogspot.com/2013/12/further-improving-digital-certificate.html
>
> Despite it being used on a private network, and with user consent, it is
> reportedly a violation of procedures.  Google classify it as a "serious
> breach".
The fact that the serious breach happened "on a private network with
user consent" it's a self-declaration coming from the ANSSI itself.

IMHO  having in the browser's root certificates a governmental's CA
that's known to engage in fake-certificate issuing for SSL inspection
represent a serious breach of trust.

As a comparison Commercial CA's like GlobalSign, for Trusted Root
businesses, it's explicitly forbidden to do content-inspection proxy:
"Trusted Root is a select service with strict requirements. Trusted Root
is both technically and contractually prohibited from being used for
deep packet inspection/scanning of outbound/inbound HTTPS traffic. "
https://www.globalsign.com/certificate-authority-root-signing/

While for a Governmental CA, in the same browser's trusted root CA list,
it's OK to do so?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org




More information about the liberationtech mailing list