Michael Graham wrote: > Reco wrote: > > Ow. Exactly which kind of consumer-grade hardware comes with SSL bump > > preinstalled? That's very interesting to me as I like know which > > hardware to avoid in the future. > > It's way more common than you seem to think. CERT recently did a blog post > about it and it contains a list of both hardware vendors (like Bloxx and > bluecoat) as well as commercial and free software. > > http://www.cert.org/blogs/certcc/post.cfm?EntryID=221 > > Basically if you're selling a web filter or similar security device, you > let admins bump SSL. There are certainly many products that one can buy that do SSL inspection. No one is saying otherwise. That wasn't the question. But are any of those commonly used consumer devices? If someone walks into Fries or Best Buy and spends less than $100 for a home firewall router such as a Linksys, Netgear, D-Link then I doubt it is going to crack open SSL. I doubt they do because doing so would require additional CAs to be installed on user's tablets and other systems downstream and that requires too much support and hand-holding. Most users would be immediately confused, would consider the device broken, would return it without ever knowing that were making the right decision of avoiding it but without ever understanding the details. Therefore consumer devices aren't going to go there. > Given how easy it is for those same admins to push the fake SSL CAs out > over active directory group policy it's pretty much transparent to most > naive users who don't understand the difference between https and http > never mind trying to explain a MITM proxy with a fake root CA! Agreed in the corporate environments. They have control over the users equipment. They often require and issue employees with company laptops. For that type of environment they can do anything. The warning is clear. Don't use your company laptop for your non-work anything. It isn't secure. Use your own computer, laptop, tablet, phone for your banking and anything that needs security. Bob
Attachment:
signature.asc
Description: Digital signature