SSL inspection

To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: SSL inspection
From: Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@NTLWorld.COM>
Date: Sun, 18 Feb 2018 07:30:06 +0000
Message-id: <[🔎] 05bcd8af-e92b-f42a-f3d9-bd1fd4f2b78e@NTLWorld.COM>
In-reply-to: <[🔎] 20180216165342.4wftpzvp4z4id5bn@p5k.home>
References: <[🔎] 20180216165342.4wftpzvp4z4id5bn@p5k.home>

Reco:

Browsers do certificate validation, "wrong IP address" would be possible if the third party somehow produced a valid certificate for wiki.debian.org (you have to be a CA *or* the government to do this) and faked a DNS record (that's easy part).

One can also do it if one is the person's employer and owns the machine that the employee is running, no DNS resource record modifications required, merely the employer as an additional root authority pushed out via group policy or suchlike and either custom proxy auto-configuration or transparent proxying at the borders. This has been a known practice for many years, and there have been for that time a wide range of products sold to employers for specifically doing this.

* https://technet.microsoft.com/en-gb/library/ee658156.aspx

* http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/

* https://securebox.comodo.com/ssl-sniffing/ssl-inspection/

* https://www.zscaler.com/products/ssl-inspection

* https://www.globalsign.com/en/blog/what-is-ssl-inspection/

... and so on.

Reply to:

Follow-Ups:
- Re: SSL inspection
  - From: Reco <recoverym4n@gmail.com>

References:
- Re: wiki
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: failed to set console font and keymap
Next by Date: hostname
Previous by thread: Re: wiki
Next by thread: Re: SSL inspection
Index(es):
- Date
- Thread