On the latest Chaos Communication Camp I held a chat summarizing the issues with TLS interception or Man-in-the-Middle proxies. This was initially motivated by the occurence of Superfish and my very own investigations on Privdog, however I discovered prior to now month that this may be a far greater drawback. I used to be stunned and considerably shocked to be taught that it appears to be virtually a default function of varied safety merchandise, particularly within the so-called “Enterprise” sector. I hope I’ve contributed to a dialogue in regards to the risks of those gadgets and software program products.
There is a video recording of the speak avaliable and I am additionally sharing the slides (also on Slideshare).
I seen after the speak that I had a mistake on the slides: When describing Filippo’s generic assault on Komodia software I stated and wrote SNI (Server Title Indication) on the slides. Nonetheless the function that’s used right here known as SAN (Subject Alt Name). SNI is a function to have completely different certificates on one IP, SAN is a function to have completely different domains on one certificates, so they’re associated and I received confused, sorry for that.
I received a noteworthy remark within the dialogue after the speak I additionally want to share: These TLS interception proxies by design break shopper certificates authentication. Shopper certificates are hardly ever used, nonetheless that’s unlucky, as a end result of they’re a really helpful function of TLS. That is another reason to keep away from any software program that’s making an attempt to mess along with your TLS connections.
Please check this great service at: http://www.test-net.org/services/traceroute/ or visit FREE SERVICES menu