Wandering Thoughts archives


Local CAs and an interesting consequence of the SSL security model

Suppose that your organization creates an internal organizational Certificate Authority, so that it can issue SSL certificates for strictly internal hostnames. Of course, everyone needs to have the internal CA's certificate loaded in their browser and so on in order to get work done on your intranet; as a practical matter, you probably preload it in your standard machine setups. I suspect that this is a not uncommon setup in sufficiently large companies.

It's recently struck me that this has an interesting consequence: your company security and firewall people can now intercept and proxy any or all external https websites without certificate warnings. All they have to do is make a certificate for whatever hostname they want and sign it with the internal CA certificate. This works because CA certs do not have restricted spheres of operation (at least as far as I know), so you cannot create a CA certificate that can only be used to sign your internal hostnames.

(You can only use your internal CA cert for this purpose, but the difference between 'only used' and 'can only be used', while small, is vital.)

Since this will be more or less transparent (although not difficult to detect), it's unfortunately now probably significantly more attractive to the powers that be. There are all sorts of firewall security people who probably salivate over the prospects of no longer having to pass https traffic uninspected and unmolested, or block it entirely.

(The cynical view is that even having restricted spheres of operation for CA certificates wouldn't help. The kind of people who would push for firewall https interception would also push for the company CA certificate having no sphere of operation restriction, and that's always going to be possible.)

web/LocalCAConsequence written at 02:49:43; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.