Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)

Carl Wallace <> Sat, 24 March 2018 16:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A759412D7E6 for <>; Sat, 24 Mar 2018 09:47:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RIMo2bahZfDa for <>; Sat, 24 Mar 2018 09:47:01 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12B7112D7E5 for <>; Sat, 24 Mar 2018 09:47:01 -0700 (PDT)
Received: by with SMTP id c20so4943405ywa.2 for <>; Sat, 24 Mar 2018 09:47:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=sI37fGuvjNYaIn1oIEMschypKIfHWLmxy2T/9M/H/zU=; b=f0o4y40TTInBcySibMAhoESB+o3CoxWqr4quhWMU7JnZ6d031ZLYEMzuNVc64NRqG7 rnxuyjAhUXK+Bttz/9C3JiY+Gu+CULk6Nkn34zeEafz1gajv+T+f0341ZdCO394wdhvW F79PAZPkfNIIAGkiB3SbaFfCoA+KKlVQ90m+M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=sI37fGuvjNYaIn1oIEMschypKIfHWLmxy2T/9M/H/zU=; b=sIEPdbsXOrbbMhu0jRhA1qtIXJjU8i+WyX47Ng5O/kZlThUHJH+Vw+BgyexvL+7Ody herj13+mzF3VSwNWnBu8/HBjpp5AMaSkIGI1U2vnXyxHxrCfckNs5qndsDGt6HTAMFu5 7qLnD3tosQRnx5x34yMahdj2QLo9IpUcHxHn4n9Njoeben53dnyNW1TOTaD4QHJKwadS yCtk911PogWqGGzygqdi+YtWsUORHKuuiLQYkQRIVFrc8bcpXypEf1Yayc+UEXcsQT3q UyGcpnHheO6TL84yzm8boiNYhEOrLZ6bPW2dF2HSPcqNk0is5Gl7CMEKUv1a6cjJApZ4 NqCA==
X-Gm-Message-State: AElRT7G4AQaimFqZ+o8jpw6tyJVuVQ6DCFPShlKjzykZTS0OE/kXHcgl bINDm9E6N8TcEiNEoSTy2/8GWg==
X-Google-Smtp-Source: AG47ELs43jXdlov6QzAhBzAk5ZcqAQlnKEI7mVXVVxjgMW8tzMySId86Dm0OHRESWN/ZyAAliQPMjg==
X-Received: by with SMTP id v186mr19883981ywd.163.1521910020073; Sat, 24 Mar 2018 09:47:00 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id c128sm4392677ywb.0.2018. (version=TLS1 cipher=AES128-SHA bits=128/128); Sat, 24 Mar 2018 09:46:59 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/
Date: Sat, 24 Mar 2018 12:46:52 -0400
From: Carl Wallace <>
To: Tony Arcieri <>
CC: "" <>
Message-ID: <>
Thread-Topic: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
References: <> <> <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3604740419_2159102"
Archived-At: <>
Subject: Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do it)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 24 Mar 2018 16:47:03 -0000

From:  TLS <>; on behalf of Tony Arcieri
Date:  Saturday, March 24, 2018 at 11:31 AM
Subject:  Re: [TLS] Breaking into TLS for enterprise "visibility" (don't do

> On Fri, Mar 23, 2018 at 11:26 PM, Alex C <>; wrote:
>> As I understand it (poorly!) the idea is exactly to have a single system on
>> the network that monitors all traffic in cleartext.
> And more specifically: to be able to *passively* intercept traffic and allow
> it to be decrypted by a central system. "Visibility" with an active MitM is a
> solved problem: have the MitM appliance double as an on-the-fly CA and install
> its root certificate in the trust stores of all the clients you intend to
> MitM.

It's not a solved problem for mutual authentication scenarios even if you
drop the passive requirement (as should be done in such cases anyway).