- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Thu, 14 Nov 2013 12:24:27 +0100
- To: "Patrick McManus" <pmcmanus@mozilla.com>
- Cc: "William Chan (陈智昌)" <willchan@chromium.org>, "Adrien de Croy" <adrien@qbik.com>, "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Willy Tarreau" <w@1wt.eu>, "Mike Belshe" <mike@belshe.com>, "Tao Effect" <contact@taoeffect.com>, "Tim Bray" <tbray@textuality.com>, "James M Snell" <jasnell@gmail.com>, "Mark Nottingham" <mnot@mnot.net>, "HTTP Working Group" <ietf-http-wg@w3.org>
> On Wed, Nov 13, 2013 at 7:09 PM, William Chan (陈智昌) > <willchan@chromium.org>replied to Wily: > >> >> Just to be clear, the MITM works because the enterprises are adding new >> SSL root certificates to the system cert store, right? I agree that that >> is >> terrible. I wouldn't use that computer :) I hope we increase awareness >> of >> this issue. Then you won't be paid because the internal reporting app where you declare your work hours will use the same PKI and you'll need the cert to access it. (and if you say that's bad: that the same trick Google uses by putting its recapcha service for example on the same SNI than other Google services. you can't allow one without the others) You won't force enterprises not to MITM without giving them alternatives to monitor their traffic, and you won't help employees by having them fight their employer on such issues (if anything, they have better stuff to fight about). -- Nicolas Mailhot
Received on Thursday, 14 November 2013 11:24:55 UTC