From: TLS <tls-boun...@ietf.org> on behalf of Tony Arcieri <basc...@gmail.com> Date: Saturday, March 24, 2018 at 11:31 AM Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
> On Fri, Mar 23, 2018 at 11:26 PM, Alex C <immi...@gmail.com> wrote: >> As I understand it (poorly!) the idea is exactly to have a single system on >> the network that monitors all traffic in cleartext. > > And more specifically: to be able to *passively* intercept traffic and allow > it to be decrypted by a central system. "Visibility" with an active MitM is a > solved problem: have the MitM appliance double as an on-the-fly CA and install > its root certificate in the trust stores of all the clients you intend to > MitM. It's not a solved problem for mutual authentication scenarios even if you drop the passive requirement (as should be done in such cases anyway).
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
