A discussion of how SSL certificates work
Hosted by Ahuka on 2016-08-12 is flagged as Clean and is released under a CC-BY-SA license.
Listen in ogg, spx, or mp3 format. | Comments (3)
In this open series, you can contribute shows that are on the topic of Privacy and Security
I had the opportunity to present a talk on SSL Certificates at our local LUG, the Washtenaw Linux Users Group, which uses some material from a previous HPR episode, but may be of interest to our listeners nonetheless. Because this was a lengthy presentation I have divided it into sections. This first section explains how SSL Certificates work, and the second one will explore some of the problems that we have with SSL Certificates, and how we might address those problems. For more go to http://www.zwilnik.com/?page_id=655
Subscribe to the comments RSS feed.
Comment #1 posted on 2016-08-18T19:17:47Z by Ken Fallon
Not allowed in the EU
Excellent episode as always.
IAMAL but in the EU at least it is not permissible to intercept all communications via a local ssl cert, even if a policy is in place about non personal use of computers.
Google Chrome also implements checks to alert if the cert used on a site doesn't match the known cert (eg google.com turns out to be company.example.com)
Comment #2 posted on 2016-08-19T16:29:00Z by Kevin O'Brien
Different in EU
Well, I am not a lawyer either, but it looks like EU and US are different in this regard. I can say that in the US the courts have ruled that it is legal since the company owns the computers.
Comment #3 posted on 2016-09-21T15:03:16Z by clacke
Different within EU
Dropping in on the convo without having heard the episode (yet).
I'm in Sweden (which is in the EU), and the company I'm currently contracting for are pretty careful about dotting their i's and crossing their lawyerly t's, so I don't believe they would be risking doing anything illegal.
They intercept TLS traffic, but I don't know if they store anything, or if it's just for the content filter to work and then gets thrown away. Maybe that makes a difference.
Google Chrome uses the OS certificate list. So if you are on your company-issued Windows computer that has the firewall's TLS CA installed to facilitate interception, Chrome will accept the CA just as if it were a real CA. Firefox won't, because it has its own list.