
The NSA Warns of TLS Inspection - hsnewman
https://www.schneier.com/blog/archives/2019/11/the_nsa_warns_o.html
======
OmarYaacoubi
There are new methods for TLS inspection, it can be done without decryption
using a combination of machine learning and metadata to spot known
attacks/malware/C&C and abnormality with high accuracy. We do that at barac
(www.barac.io). Would love to demo and discuss our unique approach

------
Jonnax
I've always wondered why browser's don't let you know that you're using a
certificate of dubious origin.

Certainly it would make employees more aware to not log into their personal
stuff at work.

~~~
dastx
Not sure how one would achieve this. It certainly would require new
infrastructure. As far as the browser is concerned, the certificate is issued
by a root CA that the computer (or browser) trusts. You'd need a tool or a
header or something that tells the browser what the original cert is. The
browser could then check if this matches the actual cert and then warn.

~~~
dogma1138
It doesn’t require new infrastructure most modern browsers support HTTP Public
Key Pinning.

Since the browser vendor can pin their own keys in the distribution it gives
you a sufficiently resilient proof against impersonation as all other keys can
be validated through a connection that is known to be non susceptible to
impersonation.

