Again a great “Security Now” podcast about SSL: how governments can sniff SSL traffic by enforcing Certificate Authorities to provide them with (intermediate CA) certificates. Based on this paper. Great story, recommended reading or listening!
Some things that I picked up:
- Different CA’s can provide you with SSL certificate for same URL (or whatever)
- Internet Explorer (actually the Windows crypto) downloads extra CA’s dynamically; so the list you see in IE can grow behind the scenes
- Firefox manages the list of trusted CA’s itself
- There is no standard policy for when a CA is accepted by browser vendors
- The list of trusted CA’s should be based on your geographical location
- Trusting a CA is somewhat equivalent to trusting a government
- Browser should provide (advanced) users with extra features to help them decide if CA certificate should be trusted or not
In my daytime job, SSL/TLS is used a lot for communication between IT systems within the corporate firewall or with business partners across the Internet. Low level configuration of SSL/TLS is often not supported:
- Configure single CA (or self-signed) cert to be trusted for specific outbound connection (e.g. when business partners have defined their “own CA”)
- Different SSL client certificate per outbound connection
- Easy configuration revocation checks (OCSP etc); and checking if the revocation checks actually work
- Different timeout settings per connection
- Only accept SSL connections on specific interfaces
Authored by: Guy
