Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] French Government doing SSL MITM

Fabio Pietrosanti (naif) lists at
Sun Dec 8 09:13:37 PST 2013

Il 12/8/13, 5:14 PM, andrew cooke ha scritto:
> Google detected it and informed the French -
> Despite it being used on a private network, and with user consent, it is
> reportedly a violation of procedures.  Google classify it as a "serious
> breach".
The fact that the serious breach happened "on a private network with
user consent" it's a self-declaration coming from the ANSSI itself.

IMHO  having in the browser's root certificates a governmental's CA
that's known to engage in fake-certificate issuing for SSL inspection
represent a serious breach of trust.

As a comparison Commercial CA's like GlobalSign, for Trusted Root
businesses, it's explicitly forbidden to do content-inspection proxy:
"Trusted Root is a select service with strict requirements. Trusted Root
is both technically and contractually prohibited from being used for
deep packet inspection/scanning of outbound/inbound HTTPS traffic. "

While for a Governmental CA, in the same browser's trusted root CA list,
it's OK to do so?

Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights - -

More information about the liberationtech mailing list