Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] app-misc/ca-certificates
Date: Tue, 01 Jun 2021 13:29:52
In Reply to: Re: [gentoo-user] app-misc/ca-certificates by Adam Carter
1 On Tue, Jun 1, 2021 at 7:59 AM Adam Carter <adamcarter3@×××××.com> wrote:
2 >>
3 >> And another "wondering" - all the warnings about trusting self signed
4 >> certs seem a bit self serving. Yes, they are trying to certify who you
5 >> are, but at the expense of probably allowing access to your
6 >> communications by "authorised parties" (such as commercial entities
7 >> purchasing access for MITM access - e.g. certain router/firewall
8 >> companies doing deep inspection of SSL via resigning or owning both end
9 >> points).
10 >
11 > AFAIK in an enterprise MITM works by having a local CA added to the cert stores of the workstation fleet, and having that CA auto generate the certs for MITM. That didn't work with certificate pinning, but pinning has been deprecated.
13 So, I don't know all the ways that pinning is implemented, but if
14 you're talking about using MITM to snoop on enterprise devices on the
15 enterprise network I'd think that pinning wouldn't be an issue,
16 because you control the devices from cradle to grave. Just ensure the
17 pinned certificates are the ones that let you MITM the connections.
19 Now, if your organization has some sort of guest network for
20 non-enterprise devices then pinning would obviously block MITM of
21 connections made by those devices. Really though I'm not sure you'd
22 want to be snooping stuff like this - it seems like more legal
23 headaches than it is worth. You want to sniff your OWN traffic for
24 IDS/etc or other unauthorized use, and since you're sniffing traffic
25 from devices you own you don't have the same legal issues (I won't say
26 no legal issues, but certainly monitoring your own devices is very
27 different from monitoring those you don't own). You shouldn't even be
28 allowing uncontrolled devices on those networks in the first place.
29 If you want to detect unauthorized devices MITM isn't really the best
30 solution - just use positive authentication of known-good devices
31 up-front and anything that doesn't pass that test is treated as a
32 threat and shouldn't even be able to send traffic.
34 --
35 Rich


Subject Author
Re: [gentoo-user] app-misc/ca-certificates William Kenworthy <billk@×××××××××.au>
Re: [gentoo-user] app-misc/ca-certificates Adam Carter <adamcarter3@×××××.com>