In this open series, you can contribute shows that are on the topic of Privacy and Security
I had the opportunity to present a talk on SSL Certificates at our local LUG, the Washtenaw Linux Users Group, which uses some material from a previous HPR episode, but may be of interest to our listeners nonetheless. Because this was a lengthy presentation I have divided it into sections. This first section explains how SSL Certificates work, and the second one will explore some of the problems that we have with SSL Certificates, and how we might address those problems. For more go to https://www.zwilnik.com/?page_id=655
Comment #1 posted on 2016-08-18 19:17:47 by Ken Fallon
Not allowed in the EU
Excellent episode as always.
IAMAL but in the EU at least it is not permissible to intercept all communications via a local ssl cert, even if a policy is in place about non personal use of computers.
Google Chrome also implements checks to alert if the cert used on a site doesn't match the known cert (eg google.com turns out to be company.example.com)
Comment #2 posted on 2016-08-19 16:29:00 by Kevin O'Brien
Different in EU
Well, I am not a lawyer either, but it looks like EU and US are different in this regard. I can say that in the US the courts have ruled that it is legal since the company owns the computers.
Comment #3 posted on 2016-09-21 15:03:16 by clacke
Different within EU
Dropping in on the convo without having heard the episode (yet).
I'm in Sweden (which is in the EU), and the company I'm currently contracting for are pretty careful about dotting their i's and crossing their lawyerly t's, so I don't believe they would be risking doing anything illegal.
They intercept TLS traffic, but I don't know if they store anything, or if it's just for the content filter to work and then gets thrown away. Maybe that makes a difference.
Google Chrome uses the OS certificate list. So if you are on your company-issued Windows computer that has the firewall's TLS CA installed to facilitate interception, Chrome will accept the CA just as if it were a real CA. Firefox won't, because it has its own list.
Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.
Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).