Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Posted Mar 24, 2015 0:22 UTC (Tue) by josh (subscriber, #17465)In reply to: Google: Maintaining digital certificate security by josh
Parent article: Google: Maintaining digital certificate security
Note that I'm not arguing against the ability for employers to intercept traffic on their own networks or from their own systems.  That's fine, if obnoxious.  However, it should always require adding the MITM CA as trusted in any client system.  No such MITM CA should ever chain to any public CA, and doing so should be grounds for immediate blacklisting of that CA.
IIRC, that was exactly Mozilla's stated policy the last time this occurred, and Mozilla explicitly stated that any such CA that didn't immediately come forward within X amount of time after that announcement would be removed immediately upon discovery.  Here's hoping that actually happens.
      Posted Mar 24, 2015 12:34 UTC (Tue)
                               by gerv (guest, #3376)
                              [Link] (12 responses)
       
If you accept the story that this was only used on the company's internal network, and you further accept that a company has a right to inspect data entering or exiting their network, then that sort of abuse has not occurred. 
I'm fairly sure Google are not saying "there was no abuse, therefore everything's fine" - the tone of their blog post does not admit that conclusion. 
Gerv 
     
    
      Posted Mar 24, 2015 13:31 UTC (Tue)
                               by ledow (guest, #11753)
                              [Link] (9 responses)
       
If something is signed by a valid CA that users worldwide may end up accepting without question, that's a different story entirely. 
If you want to MITM, nobody is stopping you.  Sometimes it's necessary.  And that's why you use your own certificate chain and add it to the machines somehow (even on BYOD setups).   
Generating a certificate for a MITM that is signed by a CA that browsers trust by default, that's just stupid.  Sure, it lets you sniff "unknown", and that's exactly the problem.  You just broke the chain of trust, deliberately and knowingly.  Thus, you have no right to be a CA. 
And THIS is why places like Google publish their certificate hashes and have their browsers check for the correct hash so they aren't MITM'd unknowingly. 
     
    
      Posted Mar 24, 2015 13:38 UTC (Tue)
                               by gerv (guest, #3376)
                              [Link] 
       
Gerv 
     
      Posted Mar 24, 2015 21:17 UTC (Tue)
                               by robbe (guest, #16131)
                              [Link] (7 responses)
       
But it's not easy nor convenient to do at scale, especially not for for Firefox¹ or mobile devices. For BYOD it may actually incur legal risk². 
We sell these MITM proxies at work, and about once a month I have to explain to a customer: 
Customer: I want to <X> 
 
 
¹ Gerv, you still listening? That's my number one pain point for FF on enterprise desktops. 
     
    
      Posted Mar 24, 2015 23:00 UTC (Tue)
                               by josh (subscriber, #17465)
                              [Link] (4 responses)
       
Good.  It should be absurdly hard.  If it were easier, more people would do it. 
     
    
      Posted Mar 24, 2015 23:18 UTC (Tue)
                               by pboddie (guest, #50784)
                              [Link] 
       
     
      Posted Mar 25, 2015 6:44 UTC (Wed)
                               by epa (subscriber, #39769)
                              [Link] 
       
     
      Posted Mar 26, 2015 21:30 UTC (Thu)
                               by robbe (guest, #16131)
                              [Link] (1 responses)
       
Unfortunately, the employer will just stay with IE in this case. Not installing Firefox is certainly easier than rolling it out *and* fudging one or more certificates into its trusted store. 
Maybe a better way is to make adding a MITM cert easier, but show a different visual cue in the "security indicator" next to the URL. Example: 
Padlock: we're pretty sure nobody can listen in 
     
    
      Posted Mar 26, 2015 22:19 UTC (Thu)
                               by josh (subscriber, #17465)
                              [Link] 
       
As far as the right to do so: in my opinion, the provider of a network can intercept traffic if they want, but should not be allowed to do so without notice and consent. 
     
      Posted Mar 25, 2015 11:52 UTC (Wed)
                               by rich0 (guest, #55509)
                              [Link] 
       
     
      Posted Mar 25, 2015 12:34 UTC (Wed)
                               by gerv (guest, #3376)
                              [Link] 
       
Gerv 
     
      Posted Mar 25, 2015 1:09 UTC (Wed)
                               by rodgerd (guest, #58896)
                              [Link] (1 responses)
       
Has the company disclosed, in a meaningful fashion, to users of its network that this is happening?  Do they understand a third party is intercepting their Google (and banking and whatever else) login?  What checks and controls does the company have to ensure the interception is used for legitimate purposes rather than, say, a rogue security officer stealing banking details? 
     
    
      Posted Mar 25, 2015 12:35 UTC (Wed)
                               by gerv (guest, #3376)
                              [Link] 
       
Gerv 
     
    Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
> that's why you use your own certificate chain and add it to the machines
> somehow (even on BYOD setups). 
Me: You must turn on HTTPS inspection for that to work.
Customer: But the manual says I then have to install a certificate on every device. That's so much bother! Isn't there a better way?
Me: No legal one, no.
² If I do e-banking from this MITM-ready device, non-repudiation conveniently goes out the window.
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Stethoscope: someone is watching your decrypted traffic, ostensibly for malware, but insulting your boss or planning a coup is probably not a good idea either
Megaphone: only politeness protects you, don't do anything you wouldn't do in the cafeteria
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
Google: Maintaining digital certificate security
      
 
           