On Mon, Apr 17, 2023 at 12:45 AM <to...@tuxteam.de> wrote: > > On Sun, Apr 16, 2023 at 09:20:22PM -0400, Jeffrey Walton wrote: > > [...] > > > Corporations don't need browser cooperation for Data Loss Prevention > > > (DLP) (but they already have it). Corporations just run an > > > interception proxy, like NetSkope. The NetScope Root CA is loaded into > > > every browser trust store. The application will terminate all traffic, > > > inspect it, and forward the request if it looks innocuous. > > > > To be clear... The NetSkope Root CA is loaded into browsers for > > computers owned by the corporation. I.e., part of the corporation's > > standard image. > > Heh. You made me search for it in my browser's root CA store ;-) > > Anyway, your points are all valid. I do recommend to have a look > at the browser's default root CA store before saying "you're safe > with TLS". This is just marketing. TLS is but one tool.
Yeah, I call it the "CA Zoo." The Browsers will let just about anyone into the store. All you need to do is check the boxes. If interested in the day-to-day operations, subscribe to Mozilla's dev-security-policy list at https://groups.google.com/a/mozilla.org/g/dev-security-policy. It is where CAs come to join the store. There are some efforts to reduce the risk from the CA Zoo. For example, VISA restricts the list as detailed at https://developer.visa.com/pages/trusted_certifying_authorities . VISA's list is 41 in size. It is better than the 150+ in Mozilla's and Chrome's lists. > Don't get me wrong: I think widespread use of TLS is a Good Thing. > But going about it as if it was Redemption is paternalistic to the > point of being counterproductive. > > Security is a process, not a product, as Schneier says. Jeff
