Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How to defend against SSL visibility appliances?
1 point by BCharlie on Dec 3, 2014 | hide | past | favorite | 2 comments
Recently on Tor Talk, there was a discussion of SSL visibility appliances (https://www.bluecoat.com/products/ssl-visibility-appliance). They are able to strip out SSL transparently (good article here: http://www.zdnet.com/how-the-nsa-and-your-boss-can-intercept-and-break-ssl-7000016573/).

Are there any effective means to audit trusted CA's in browsers, so that none of these vendors are in the list? Manually reviewing every CA obviously isn't an option.

Does anyone have any good plugin suggestions, or defensive techniques?



I should also mention that I am not asking about defenses in particular applications, such as Tor, which does include hardcoded certs. I am more interested in everyday use while not using specialized services such as VPN clients and Tor.


Certificate pinning helps, although it obviously doesn't prevent an attack against something you haven't seen before.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: