Offered as a point of information... I believe the Saudi government uses these technologies to keep their web halal... https://www.sandvine.com/government-customers On Wed, 11 Sep 2019 at 11:44, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Mike via talk <talk@gtalug.org>
| A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate | TLS with the MITM, and the MITM goes out onto the Internet to | (separately) negotiate TLS with the site you are trying to connect to.
Right.
Your browser must be fooled into thinking that the MITM is the site you are trying to commect to.
Lets call the site your are trying to get to "goal.ca".
The DNS must provide the browser with the MTM's IP address when resolving "goal.ca" OR the MTM must intercept all traffic for the real goal.ca. I'd guess that interception is more likely to be successful.
| However, this means that the MITM needs to provide you a public | certificate for which it is in possession of the private key.
And that cert must claim to be for goal.ca.
| Presumably this is not a certificate whose authenticity can be traced | to a top-level Certificate Authority (CA) that your browser trusts.
Right. Any CA that would issue a cert for goal.ca to someone not associated with goal.ca would find their root certs kicked out of every browser (it has happened).
| That should be your detection method.
In other words, such a cert could not be validated. (Validation happens through a chain of certificates terminating in a root (self-signed) cert already known to the browser (seeded by the browser vendor or previously added by the user).
| Otherwise, if you're dealing | with a large, corporate MITM (cough, Zscaler, cough), they might be | generating / issuing MITM certs on the fly from their issuing CA cert | which may actually trace to a top-level public CA.
Wait: is that possible? Why are those CAs not expelled by the browser "vendors"?
I must have misunderstood something.
In <https://en.wikipedia.org/wiki/Zscaler#SSL_traffic_considerations>
"... and assuming that the user has pre-installed a company root cert ..."
DON'T DO THAT. At least not unless you understand the consequences.
PS: even when successfully using end-to-end TLS, traffic analysis gives away a lot of the game. A VPN would reduce but not eliminate that leakage. Few of us realize how effective traffic analysis can be. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- William Porquet, M.A. ‡ mailto:william@2038.org ‡ http://www.2038.org/ "It is only with the heart one can see clearly; what is essential is invisible to the eye." - (The Fox) "The Little Prince"