[liberationtech] French Government doing SSL MITM
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Sun Dec 8 09:13:37 PST 2013
Il 12/8/13, 5:14 PM, andrew cooke ha scritto:
> Google detected it and informed the French -
> http://googleonlinesecurity.blogspot.com/2013/12/further-improving-digital-certificate.html
>
> Despite it being used on a private network, and with user consent, it is
> reportedly a violation of procedures. Google classify it as a "serious
> breach".
The fact that the serious breach happened "on a private network with
user consent" it's a self-declaration coming from the ANSSI itself.
IMHO having in the browser's root certificates a governmental's CA
that's known to engage in fake-certificate issuing for SSL inspection
represent a serious breach of trust.
As a comparison Commercial CA's like GlobalSign, for Trusted Root
businesses, it's explicitly forbidden to do content-inspection proxy:
"Trusted Root is a select service with strict requirements. Trusted Root
is both technically and contractually prohibited from being used for
deep packet inspection/scanning of outbound/inbound HTTPS traffic. "
https://www.globalsign.com/certificate-authority-root-signing/
While for a Governmental CA, in the same browser's trusted root CA list,
it's OK to do so?
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org
More information about the liberationtech
mailing list