Tunneling through hostile proxy
Jason Holt
jason at lunkwill.org
Tue Jul 23 12:58:00 PDT 2002
On Tue, 23 Jul 2002, Adam Back wrote:
[...]
> > However, it is possible for the proxy to have its own CA which has
> > been added to your browser. Then it acts as a man in the middle and
> > pretends to be the remote host to you, and vice versa. In that
> > case, it works as you describe, watching the data during its interim
> > decryption.
>
> While it's _possible_ to do this, I've never heard of a server hosted
> application that advertises that it's doing this. I would think it
> would be quite hard to get a CA to issue you a certificate if this is
> what you intended to do with it (act as a general MITM on SSL
> connections you proxy).
[...]
I don't know of any other real-world examples. Rescorla mentions the
technique on pp. 316-319 of "SSL and TLS". Certainly Thawte isn't going to
issue such wildcard certs, for exactly the reasons you mention. That's why
you (or your government, or company, or whoever keeps an eye on you) create
your *own* CA and tell your browser to trust it. Then it'll accept the
wildcard certs without complaint.
-J
More information about the cypherpunks-legacy
mailing list