Re: SSL inspection

To: debian-user@lists.debian.org
Subject: Re: SSL inspection
From: Reco <recoverym4n@gmail.com>
Date: Sun, 18 Feb 2018 11:32:25 +0300
Message-id: <[🔎] 20180218083223.pxlyxgtvengeor7h@p5k.home>
In-reply-to: <[🔎] 05bcd8af-e92b-f42a-f3d9-bd1fd4f2b78e@NTLWorld.COM>
References: <[🔎] 20180216165342.4wftpzvp4z4id5bn@p5k.home> <[🔎] 05bcd8af-e92b-f42a-f3d9-bd1fd4f2b78e@NTLWorld.COM>

	Hi.

On Sun, Feb 18, 2018 at 07:30:06AM +0000, Jonathan de Boyne Pollard wrote:
> Reco:
> 
> > Browsers do certificate validation, "wrong IP address" would be possible
> > if the third party somehow produced a valid certificate for
> > wiki.debian.org (you have to be a CA *or* the government to do this) and
> > faked a DNS record (that's easy part).
> > 
> One can also do it if one is the person's employer and owns the machine that
> the employee is running, no DNS resource record modifications required,
> merely the employer as an additional root authority pushed out via group
> policy or suchlike and either custom proxy auto-configuration or transparent
> proxying at the borders.  This has been a known practice for many years, and
> there have been for that time a wide range of products sold to employers for
> specifically doing this.

It's true, and I'm familiar with the cases like this. But I find it
highly unlikely that this hypothetical employer allows using KDE (which
is used by OP) at a workplace.

Reco

Reply to:

References:
- Re: wiki
  - From: Reco <recoverym4n@gmail.com>
- SSL inspection
  - From: Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@NTLWorld.COM>

Prev by Date: hostname
Next by Date: Re: hostname
Previous by thread: SSL inspection
Next by thread: Re: wiki
Index(es):
- Date
- Thread