Hacker News new | past | comments | ask | show | jobs | submit login

No they can't. That's not how TLS works. The problem we are talking about is not that SSL/TLS- the- protocol allows ISPs to decrypt traffic. It's that some browsers have been shipped with a certificate authority that is willing to sign Google CN's. Remove that CA's cert. What's your ISP going to do now?



A brief search for TLS MITM suggests to my inexperienced eye that there are indeed TLS attacks via MITM cert-swapping that the ISP can assert.

--- edit. Not looking for argument. Looking for facts.

- This is my top hit for 'tls mitm proxy'

http://www.delegate.org/delegate/mitm/

It's dated as '06, however.

- I can install Fiddler (Windows https debugger) on my machine and read https traffic in the clear.

- A competent admin assures me that Websense can read https traffic. Couldn't really dig real detail up on the websense sites though. This chap suggests the admin is not wrong (search for corporate, it's toward the end): http://www.carbonwind.net/blog/post/Random-SSLTLS-101%E2%80%...


I have no idea how I might go about arguing with you; it's as if I were to argue "a brief search of the literature suggests that P is definitely NP". Give me something more specific and I'll give you the context behind it; right now, I don't know what you're talking about.

(Sigh). Fiddler pops the browser certificate warning when you use it; it's not breaking TLS.

You must just as productively say "my friend assures me AES is broken; maybe that's what Iran is doing." Just like your competent admin friend, there would be some reason for him to say that; it just wouldn't be relevant.


Well, rephrased, what I am led to believe is that Websense can read HTTPS traffic without sparking a certificate warning.

I don't have details on that, unfortunately.


It is crazy that you're even entertaining the thought that the entire security model of the world wide web has been circumvented by WebSense. I guess they just really know how to keep a secret?


I am a little confused by the disparity between your statements and the statements here:

http://security.stackexchange.com/questions/2914/can-my-comp...

It sounds pretty clear to me that with some work on the adversary's part and lack of checking of the certificate chain, TLS can be subverted.


Websense doesn't break TLS or SSL or PKI. Websense abuses an organizations control over their own workstations to conduct a 'mitm' or 'proxy' of the TLS connection. It does that in a fairly straight forward manner.

Websense is used in organizations that distribute their own root ca key to the workstations behind it. The Websense machine is then given that root ca key and allowed to generate dynamic certs with it, so that a workstation with your organizational CA trusts them, but nobody on the regular inter webs will.

It's a really, really shitty way to do things, and effectively violates the trust of every user on your corporate network, but hey, they signed an agreement.


Thank you for the information.


Yes, if you don't check certificates you can subvert TLS. Also if you key your ciphers with zeroes. Don't do those things.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: