Martin: >>> At the point that I have sufficient control over a host that I can run >>> my software, then I would pin certificates and the best you could do >>> is block me. None of the advice about configuration of trust anchors >>> (pinning, overrides, etc...) helps at that point. >> >> Correct. Which is why it's critical in the intranet context, within a >> single span of administrative control, to have visibility into the actual >> cryptostream. > > Roland, I think that you missed my point here. My point was that you > don't get that visibility when it is malware at both ends of the > connection (assuming a modest amount of competency from the authors).
I think that the IDS is trying to detect the an infected server trying to migrate to another server. Malware often includes a series of exploits that are tried in sequence to infect a neighbor, and this activity provides a detectable signature. Russ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
