Comment on Browser Certificate Stores and QWACs
MSgtRedFox@infosec.pub 1 year ago
Another thought I had was regarding interception. Anyone with access to root cert can decrypt the data. My understanding was that these certs were supposed to be counter signing right?
Otherwise, wouldnt any government implementing this just be conducting zero effort surveillance?
abhibeckert@lemmy.world 1 year ago
No. These certificates are used for identity verification. For proving that when you send an email, it’s actually your email server you’re talking to and not some other server.
In theory, a root certificate can be used to impersonate any server. In practice you still need to somehow get the traffic to be sent to the wrong server an also there are protections in place (certificate pinning, etc) which would often stop that as well. But these protections are imperfect - so really you just don’t want anyone malicious to get their hands on a root certificate.
MSgtRedFox@infosec.pub 1 year ago
I setup our transparent proxy so we can do interception and IPS. I’m interested/concerned about the ability to use an intermediate ca cert downstream inline somewhere (like a teoco) and if regular consumer desktops would alert on that since their browser would trust the root. We GPO place our intermediate cert in the Windows trusted intermediates. I can’t remember if browsing breaks without doing that.
Not really a concern if there’s other certs/TLS required.in addition to the QWACs cert thought.
I got the impression the easier threat/worry was compromise of a nation CA and issuing illicit duplicate site certs, to then spoof a bank site. Still requires traffic redirection with DNS or routing though I think.