

Ask HN: How to defend against SSL visibility appliances? - BCharlie

Recently on Tor Talk, there was a discussion of SSL visibility appliances (https:&#x2F;&#x2F;www.bluecoat.com&#x2F;products&#x2F;ssl-visibility-appliance). They are able to strip out SSL transparently (good article here: http:&#x2F;&#x2F;www.zdnet.com&#x2F;how-the-nsa-and-your-boss-can-intercept-and-break-ssl-7000016573&#x2F;).<p>Are there any effective means to audit trusted CA&#x27;s in browsers, so that none of these vendors are in the list? Manually reviewing every CA obviously isn&#x27;t an option.<p>Does anyone have any good plugin suggestions, or defensive techniques?
======
BCharlie
I should also mention that I am not asking about defenses in particular
applications, such as Tor, which does include hardcoded certs. I am more
interested in everyday use while not using specialized services such as VPN
clients and Tor.

------
TheLoneWolfling
Certificate pinning helps, although it obviously doesn't prevent an attack
against something you haven't seen before.

