From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-196115-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 051671382C5
	for <garchives@archives.gentoo.org>; Tue,  1 Jun 2021 13:29:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 30121E0823;
	Tue,  1 Jun 2021 13:29:48 +0000 (UTC)
Received: from mail-oo1-f49.google.com (mail-oo1-f49.google.com [209.85.161.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id BC3EDE0801
	for <gentoo-user@lists.gentoo.org>; Tue,  1 Jun 2021 13:29:47 +0000 (UTC)
Received: by mail-oo1-f49.google.com with SMTP id v13-20020a4aa40d0000b02902052145a469so3500883ool.3
        for <gentoo-user@lists.gentoo.org>; Tue, 01 Jun 2021 06:29:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=ua6IguzcZgyudt+gE0HQfS9PS8hSAkP+mpj6TJmarzo=;
        b=DN81KANU6Y+z3iDVlnp0/85WE5QFGwCbKVnIKmiF/VmDNW5dd2rD81OCnqjN5fyydp
         euL6w4EPiaGDQ52bCcFaVfyux4Gx7lwRieKLf/Rze9dUwetwuAiXvbuXDmI+3nffUBXM
         iq94JEIptpbMALy67TuFOjlAFr2XQTsUwxe3VBHx4JOi88LhML9mg43XGvbc2JRAhZ1y
         mQ0bjZ6peVZJP+V8XZf2L7Hkh/93VF61VBDfI5EeHq4tw+u05gcS2GsqPSHMVzYCnEbw
         CFyBDk32MysfD0rxInhFQmZl+cB52bpuNsgCsWVi8nqFXRPyKwjvdjKupNfFvhpuSdIV
         /EpA==
X-Gm-Message-State: AOAM532ZH8YF/SRWjJJ+C7sVbwUm7xC4EC1HrUhQ5pHKKmof1X78N55i
	qwDCWFO4u3qduvG80bKCnRZeyj3pHHsOw3Aj5CWQDHIBRKg=
X-Google-Smtp-Source: ABdhPJww6LZfEjJ0N79PgIO4zHD7zOKKaRjrhZQBULXUil0ll6e5JPhipo0Y1gKW0Gv1dn3oXv3L5mhDlw08p8SZkcc=
X-Received: by 2002:a4a:98b0:: with SMTP id a45mr12267556ooj.22.1622554186893;
 Tue, 01 Jun 2021 06:29:46 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
References: <20210529030839.123d8526@melika.host77.tld> <YLHesQZxAxw+TftG@waltdnes.org>
 <5480288.DvuYhMxLoT@iris> <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> <CAC=wYCFDkSkHuCKF_GSUFVWZxVNiTNduH1HvFLQ3cmQYgrTcYg@mail.gmail.com>
In-Reply-To: <CAC=wYCFDkSkHuCKF_GSUFVWZxVNiTNduH1HvFLQ3cmQYgrTcYg@mail.gmail.com>
From: Rich Freeman <rich0@gentoo.org>
Date: Tue, 1 Jun 2021 09:29:32 -0400
Message-ID: <CAGfcS_kDzG_uQyAw_oBv75eLsjQ-9k7yFnJntyE_k6Z72T80hQ@mail.gmail.com>
Subject: Re: [gentoo-user] app-misc/ca-certificates
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: bbc5d882-0699-4ca8-8c22-4ac9253200a7
X-Archives-Hash: a480713a1d26ca34c546fda5c1319f32

On Tue, Jun 1, 2021 at 7:59 AM Adam Carter <adamcarter3@gmail.com> wrote:
>>
>> And another "wondering" - all the warnings about trusting self signed
>> certs seem a bit self serving. Yes, they are trying to certify who you
>> are, but at the expense of probably allowing access to your
>> communications by "authorised parties" (such as commercial entities
>> purchasing access for MITM access - e.g. certain router/firewall
>> companies doing deep inspection of SSL via resigning or owning both end
>> points).
>
> AFAIK in an enterprise MITM works by having a local CA added to the cert stores of the workstation fleet, and having that CA auto generate the certs for MITM. That didn't work with certificate pinning, but pinning has been deprecated.

So, I don't know all the ways that pinning is implemented, but if
you're talking about using MITM to snoop on enterprise devices on the
enterprise network I'd think that pinning wouldn't be an issue,
because you control the devices from cradle to grave.  Just ensure the
pinned certificates are the ones that let you MITM the connections.

Now, if your organization has some sort of guest network for
non-enterprise devices then pinning would obviously block MITM of
connections made by those devices.  Really though I'm not sure you'd
want to be snooping stuff like this - it seems like more legal
headaches than it is worth.  You want to sniff your OWN traffic for
IDS/etc or other unauthorized use, and since you're sniffing traffic
from devices you own you don't have the same legal issues (I won't say
no legal issues, but certainly monitoring your own devices is very
different from monitoring those you don't own).  You shouldn't even be
allowing uncontrolled devices on those networks in the first place.
If you want to detect unauthorized devices MITM isn't really the best
solution - just use positive authentication of known-good devices
up-front and anything that doesn't pass that test is treated as a
threat and shouldn't even be able to send traffic.

-- 
Rich