Submitted via IRC for TheMightyBuzzard
Since the early days of the SSL/TLS protocols, the security community has been struggling with various attacks that have made many press headlines.
[...] The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet.
It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 will hopefully be released soon. Each protocol version tried to improve its predecessor and mitigated some specific attacks.
As is usually the case in security, there is a "cops and robbers" game going between the designers and developers of the TLS protocol and the people who try to break it (be it from the hacker community or from academia). Unfortunately, this game is open-ended, meaning that it will never end and has no winner.
Not precisely news but it's good to stop, reflect, and look forward now and then.
Source: https://www.helpnetsecurity.com/2017/07/03/tls-security/
(Score: 1) by Roger Murdock on Wednesday July 05 2017, @12:16AM (2 children)
Blue Coats (and any other corporate MITM devices) don't need a root cert from symantec or anywhere else to do SSL packet inspection on a corporate network because the IT dept can just create it's own cert and makes sure it's trusted by all the PCs on the network, which they have full control over.
(Score: 0) by Anonymous Coward on Wednesday July 05 2017, @09:06AM
That would be correct if they were only targeting corporate networks. Thus we can conclude that their need for a root certificate must mean that they are targeting networks where there is no one central admin to push out such certificates - such as intercepting information from all those people who want to replace the king / dictator of their respective countries.
(Score: 2) by Pino P on Wednesday July 05 2017, @03:50PM
Not since Android 7 "Nougat", which distrusts user-installed root certificates [googleblog.com] outside those applications that have explicitly opted in to trusting user-installed root certificates through Network Security Configuration in the application's manifest [android.com]. Does Chrome for Android 7 opt in?
A company offering access to its WLAN hotspot at no extra charge to customers on its premises lacks control of these customers' devices.