SSL Man-in-the-middle

Again a great “Security Now” podcast about SSL: how governments can sniff SSL traffic by enforcing Certificate Authorities to provide them with (intermediate CA) certificates. Based on this paper. Great story, recommended reading or listening!

Some things that I picked up:

  • Different CA’s can provide you with SSL certificate for same URL (or whatever)
  • Internet Explorer (actually the Windows crypto) downloads extra CA’s dynamically; so the list you see in IE can grow behind the scenes
  • Firefox manages the list of trusted CA’s itself
  • There is no standard policy for when a CA is accepted by browser vendors
  • The list of trusted CA’s should be based on your geographical location
  • Trusting a CA is somewhat equivalent to trusting a government
  • Browser should provide (advanced) users with extra features to help them decide if CA certificate should be trusted or not

In my daytime job, SSL/TLS is used a lot for communication between IT systems within the corporate firewall or with business partners across the Internet. Low level configuration of SSL/TLS is often not supported:

  • Configure single CA (or self-signed) cert to be trusted for specific outbound connection (e.g. when business partners have defined their “own CA”)
  • Different SSL client certificate per outbound connection
  • Easy configuration revocation checks (OCSP etc); and checking if the revocation checks actually work
  • Different timeout settings per connection
  • Only accept SSL connections on specific interfaces

Authored by: Guy

blogger

blogger

Curious to know more about this topic?

Working at i8c

i8c is a system integrator that strives for an informal atmosphere between its employees, who have an average age of approx 30 years old. We invest a lot of effort in the professional development of each individual, through a direct connection between the consultants and the management (no multiple layers of middle management). We are based in Kontich, near Antwerp, but our customers are mainly located in the triangle Ghent-Antwerp-Brussels and belong to the top 500 companies in Belgium (Securex, Electrabel, UCB, etc…).

Quality Assurance

i8c is committed to delivering quality services and providing customer satisfaction. That’s why we invested in the introduction of a Quality Management System, which resulted in our ISO9001:2000 certification. This guarantees that we will meet your expectations, as a reliable, efficient and mature partner for your SOA & integration projects.

i8c - ISO9001-2015

Also worth reading

AWS AppFlow: Streamlining SaaS Integrations with AWS Services

In today’s digital world, organizations are constantly looking for ways to streamline their workflows and improve their data management processes. One of the key challenges that organizations face is integrating their various software as a service (SaaS) applications with their data management systems. This is

Read More »

Apigee Scope Validation using OpenAPI Specification

In API security and management, we often use a lot of different security mechanisms to protect the requested resource behind the API Gateway. One of these mechanisms is the validation of scopes to authorize a client on a specific sub-resource of the API. Most of

Read More »