On 19/07/2019 16:52, Troy Cauble wrote:
On Thursday, July 18, 2019 at 8:26:43 PM UTC-4, [email protected] wrote:
Even on corporate hardware I would like at least a notification that this is
happening.
I like the consistency of a reminder in all cases, but this
might lead to corporate policies to use other browsers.
As someone actually running a corporate network, I would like to
emphasize that it is essential that such mechanisms try to clearly
distinguish the 5 common cases (listed by decreasing harmfulness).
1. A known malicious actor is intercepting communication (such as the
nation state here discussed).
2. An unknown actor is intercepting communication (hard to identify
safely, but there are meaningful heuristic tests).
3. A local/site/company network firewall is intercepting communications
for well-defined purposes known to the user, such as blocking virus
downloads, blocking surreptitious access to malicious sites or
scanning all outgoing data for known parts of site secrets (for
example the Coca-Cola company could block all HTTPS posts containing
their famous recipe, or a hospital could block posts of patient
records to unauthorized parties). This case justifies a non-blocking
notification such as a different-color HTTPS icon.
4. An on-device security program, such as a local antivirus, does MitM
for local scanning between the browser and the network. Mozilla could
work with the AV community to have a way to explicitly recognize the
per machine MitM certs of reputable AV vendors (regardless of
political sanctions against some such companies). For example,
browsers could provide a common cross-browser cross-platform API for
passing the decoded traffic to local antivirus products, without each
AV-vendor writing (sometimes unreliable) plugins for each browser
brand and version, while also not requiring browser vendors to write
specific code for each AV product. Maybe the ICAP protocol used for
virus scanning in firewalls, but run against 127.0.0.1 / ::1 (RFC3507
only discusses its use for HTTP filtering, but it was widely used for
scanning content from mail protocols etc. and a lot less for
insertion of advertising which is in the RFC).
5. A site, organization or other non-member CA that issues only non-MitM
certificates according to a user-accepted policy. Those would
typically only issue for domains that request this or are otherwise
closely aligned with the user organization. Such a CA would
(obviously) not be bound by Mozilla or CAB/F policies, but may need to
do some specific token gestures to programmatically clarify their
harmlessness, such as not issuing certs for browser pinned domains,
only issue for domains listing them in CAA records or outside public
DNS or similar.
I am aware of at least one system being overly alarmist about our
internal type 5 situation, making it impossible to distinguish from a
type 1 or 2 attack situation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
