This can lead to mis-information when doing any diagnostics/debugging & if you using a browser and actually inspect the cert-chain for the trusteded-CA for a website.
Take my day-job which has a bluecoatSGproxy for SSL inspection & we have a trusted entrerprised-CA-cert that's present in the chain for pcgus { aus-web.gateway.pcgus.com in this example }
That CA-chain is from the trust CAcert that we delivered and imported into our browsers.
Now that I'm off the pcgus network, that chain is misleading since I'm going to the website
https://forum.fortinet.com directly. Until we tell firefox to clear it's self , that chain is misleading to the unaware , unsuspecting end user.
Now look at the chain once we reload the website. Notice how the previous aus-webgateway.pcgus.com is now eliminated? And the real CA-chain is presented?
So always us a tool like curl or gnutls-cli when you wan to double or triple check the CA-chain for a website.
Or
Run the website thru a site like SSLlab and inspect the chain.
Doing this, is a 100% sure way to determine if a MiTM device is doing inspections.If you see a CA-chain that does not reflect the true raw chain from a site inspection-too, than you know that a "imposter" is in the CA-chain .
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment