Re: [TLS] [EXTERNAL] Re: SSL cert - CA issuer question - WIndows Event Reporting CA
Andrei Popov <Andrei.Popov@microsoft.com> Thu, 08 June 2023 03:42 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0A1C151B19 for <tls@ietfa.amsl.com>; Wed, 7 Jun 2023 20:42:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4ez0Khu1QLR for <tls@ietfa.amsl.com>; Wed, 7 Jun 2023 20:42:20 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on0720.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe56::720]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 383A1C151B06 for <tls@ietf.org>; Wed, 7 Jun 2023 20:42:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Yw3cJp7g5HH/wkq9Opi3QhI08JTV5od71vpV6bY1TCkcnHiMbr7NfsjtoijgB1tlFPxuIYZxOuvFlIuOixgw4xQ3msfzMuenFM5+9v5lCWBWXaR/PDCfhxIbqTCKybQWcUmht04g5i905UYF9AwR5DO6L3y1FlZhE1CmevLU0J8NDPTSE61hgldNgZulo8FkZ4lV5w4UZQcyrABlKk4q891VbXA9lyKAEDaT9Mx6VlbgYssiG+0fD8U/Xdgk0W5aXwIqD6JnfQvU0Ox1OaO5lyo1I2VBJbNCKgmMtUpP5mpQYQaq8hAxf9f7gh/FMtSi2tZMKaJwqlvu/MoQ2TEN9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=v/IFFH8nmb5eKzI6WRh9IfqKF2WAH/Fngfg9NcW3/TA=; b=AwnlZNRWhQCrAKyjvo6jG5G9xm7WZSu6dueZ79EWK0jV/eDzrKri9BVCkyaEeS0iOoyINb22rT+86blZLUpzjZ0cqaCWHIMPqGs65b45z884Eltqyd0kwQjPibyauvEWkmiD58Wz9riezTgTMIVzzvJK8BaCxc/uqzgmt39k1Hojwtvp0nfZg1uIAiIfDfjLhFJiK08nQDqSN5MnflROxHV1dn2NKjVSK2nb2k6Kw3Vhwk1UoNjsty8MaMKrxH3r8GAoB5XfB8mXZXUTDVAKGCHOmgCD6nsLI67tr5nvYzLAfiaNDpfL6zrstHK2/1W3CC2x0zO2NXBGpfwXZO28ng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v/IFFH8nmb5eKzI6WRh9IfqKF2WAH/Fngfg9NcW3/TA=; b=bCwxDdQ4G0raYK1cKBcIwrVqfk5lO8evdrovVN4DMe2B2Jc26F3wZga0uDgvXc8gMqUEeN6G6Nd7KdNVLt5CcfdT9169ncvY7badJliYbWrlGjn16HhWSXHkvxa6YRQ9rP+4On1rTrrPIB94c+EmFZ2iQEnZqctvxF+i7M4maWw=
Received: from BY5PR00MB0675.namprd00.prod.outlook.com (2603:10b6:a03:208::8) by DM6PR00MB0783.namprd00.prod.outlook.com (2603:10b6:5:1bd::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6520.0; Thu, 8 Jun 2023 03:42:15 +0000
Received: from BY5PR00MB0675.namprd00.prod.outlook.com ([fe80::d9a1:1774:cb12:a075]) by BY5PR00MB0675.namprd00.prod.outlook.com ([fe80::d9a1:1774:cb12:a075%4]) with mapi id 15.20.6520.000; Thu, 8 Jun 2023 03:42:15 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [EXTERNAL] Re: [TLS] SSL cert - CA issuer question - WIndows Event Reporting CA
Thread-Index: AQHZmYV4RXZf/a2zFkiknF7DOnuwMK+AQkcA
Date: Thu, 08 Jun 2023 03:42:15 +0000
Message-ID: <BY5PR00MB0675C5104947DAA18B9287B58C50A@BY5PR00MB0675.namprd00.prod.outlook.com>
References: <CAG5P2e8xQSyBChic=xgqq0FUMfmZXSyXXczb+OkdacthUDZcWw@mail.gmail.com> <4b1fc1cf-6de3-4f3f-aba9-be236aaa0aa4@betaapp.fastmail.com>
In-Reply-To: <4b1fc1cf-6de3-4f3f-aba9-be236aaa0aa4@betaapp.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=49e8d885-a9b4-45ad-a2e0-6de21478b1b5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-06-08T03:38:16Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR00MB0675:EE_|DM6PR00MB0783:EE_
x-ms-office365-filtering-correlation-id: 86d07cc2-9b45-4606-d77c-08db67d25a09
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w+TMvSHr2kRN55dQK7DNEFhdp4UXAi2xWqUD1f62MTS+n0LbSTna29o166G9NP++gM20i7V8zIJek8ew4/yvftJECsoEEthuiY+FglEzslIXlmZxPBtT+ahLbk7uN9HWytXzqyIbNe0UFuj9FWt9oU/jSAZDlcXMA9qOPWIqAGdDkOUde/nufuTDpcJw1VolKiNbD85weluAeyazrL5X+qbThMZnqVZzBBvdaX2ZI2gry1v+dy/So50MvHiLPXD0DWpi5/SutbiArC+aNNtTcclW93S7ft4bcMqjP7dvrisZ+M4EM5J7RVFef8awXyRDXRPq+7wNNg4aJwQzoToZp9hCdUlEYDr+Ov4e7YCmmF0GB8UaRjg7x2bLMBh4i6AIF04KN8qGjibNCY2rjGJe1WrIVr0ifsjd1RM91OT5PkjWpLoiJgkYfoG7LkmmagoHwgyXuz2m2juV2DHOlhEIhYVVnmU7bxEMpnYbUmNUqAVw9oG3ERO1/ipScMYO/kIGWkT1gw131eIgiGs2ODJPzHRrdohJCuVoOfFJqBSbCV8KJTtKKS2msmyxOE8SNHshjow9JYhobGMMM5fZVlcO8NR+bIWujZb3zSueOkV98lI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0675.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(136003)(346002)(39860400002)(396003)(376002)(451199021)(26005)(6506007)(9686003)(53546011)(966005)(8990500004)(83380400001)(33656002)(86362001)(38070700005)(38100700002)(122000001)(82960400001)(82950400001)(186003)(55016003)(110136005)(52536014)(2906002)(478600001)(10290500003)(5660300002)(316002)(41300700001)(66556008)(64756008)(76116006)(66446008)(66946007)(66476007)(8936002)(8676002)(7696005)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eQBQ8Wvm+SMk92FJHGXIR0Lt0OyKYb2a3BVI5SJP4X3NjT8zFIWSUnrH5ooOHJwpQokv/yAqYBHJSJ1AQJ3vEclKC3h3Smv3qK818QvXYYwe2k0CSecf73bukIHuSjaij1xvbDEpX5xNyPBLm6Rw73+zCLzQzkwsTELvxeVyBSMa1P3Iio5F4yoh7cgc+NTuSKFb4O7j9tQFy3DEIbX9Uxie6kR+CYDmu35v00q5Yp8g7+xOb9QhfspW6xAP/x0IzxFCzf1TS7ImpdrVpdZkWHraxPaX//9/7j1v9f5QQUt9FUrl4V1Jd28E8gn1LZNJw8BEuB/tt27bpJffwJ7MgEvc4Vrpys8kA40E9LGMcR9d5WuL+TzBaplHl7E80uehog7lntfVexE61r+KV2ipwAlE1+J6YSJ1j7GtxneNBFGhdldvadQMXwG2z+q+ZtdTA23Ag/Qm/cUpjv6BtmjnJNVs7mRSLcMuL4fDG/0drx5e4QeILzdeTVR1xmXimuWqz4X8h/DHmGbydogSERitEHP+DEArRtPLvVDyUH9HLebyWSu937W5BbSYbGUtgdwD6A1Ahi9k5XaCMp/WAZndYl1N13zY7kEHfjOatgVAljpb96OsXDue+Czle/KkLleLD7bAmRyRFoKebtklUPzI0Ij6nsHNNphwJRR/9gfkonhLtaOZvCpgI3N76RMtNPu0bS2GXKHvtXtwGJ7Phyw5vtn7IbS0YWIakHL02FaubJnEHv5DZwG86XzF4W9TEWyjk8i5Y7WMOuu+br7bwZHtxdc6p4KFWjKRl95Xm9HtgzDwj3CcV6xblGYiJPXbEboFNWrczYZwRLd0aE28jib6gt5cIP5y7pCrhqze7ywp5zi2X5f8lLllKa4vQNliNqAW95MpSerti7Um/g2YN8hTSrolpYcofOxOj2VtNBR2p4YfvOiiD9uugekwg3nt5qoGuheT/xWWb3CsJy2IAQUsBRXZbJONS3z/BSVcOtthu8oFsk4SVH/+DEtTWRUHYc4xVydostyFq2UgCiYZUS9QXjESOSie1BAfeUqBWLt3QcEVhjA66bn6PwSRosf/b+QMILtTRnbs8hI6qmo3VHbj06H2vuWZdOWJ8fAFPY+hJ+Za9VviGJGbU9xC9uhuvj+g+phEX0NQJJxb01PF3fHDOhEMvFVE2RkHJ+CtKW9naHdlp9krCi32qDIRM72VjXVTS+/RMqE5u44fgSSqaS9gKvqCVaiE1Ig07j1LNzllVXkuhmEhKE5xepMeclVk7p5reOhrFlds7cyzd/OHHcY4TZ5NCF8y7YAJhcT49M76kDQRdEUTkSJHWKnNO1k0h8ExfnAA4rGI3Si8gre9CvTuzDITstPGBC7PLfO5od6KzKDPznHUx4LRKG+8uF0inLWRcpQns+IrJi8X+yHvNooFey8KTwPW6ZjqteDUf9C+CJe2hVzLzuHivFU6GYlvtBEzoB+VXLIe/mQeUCsr8azFinuglBq0cA8CQmnwoUYv6uyqwXhpomdOw2IAXSRIgpiu+S3O+1QXDcYm13FoQ/0XLgRWUgkjM8flsP+f1kxlkU2h2zVQLuzDB0Yl+Z23hFHl
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0675.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 86d07cc2-9b45-4606-d77c-08db67d25a09
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2023 03:42:15.3842 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DgPe6Pb3+/D1kimHQFZKmTrXh4d6qWalLxLsAfunYSh4k8vRoj4mh87rcR+ifGMyBC3CMcw/3yI7z/cb/iCs/Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0783
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nOdIZtLqGQ09oBRxpnN5VKdfXcI>
Subject: Re: [TLS] [EXTERNAL] Re: SSL cert - CA issuer question - WIndows Event Reporting CA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 03:42:23 -0000
@M K Saravanan: if you export (w/o private key) and share the cert with me, I can take a look. Windows does not MITM TLS connections. Cheers, Andrei -----Original Message----- From: TLS <tls-bounces@ietf.org> On Behalf Of Martin Thomson Sent: Wednesday, June 7, 2023 2:17 PM To: tls@ietf.org Subject: [EXTERNAL] Re: [TLS] SSL cert - CA issuer question - WIndows Event Reporting CA On Wed, May 10, 2023, at 10:36, M K Saravanan wrote: > When I first access that website, for e.g. https://www.cloudflare.com/ > the issuer CA is shown as "Windows Event Reporting CA". What you have there is known as interception. Something on your machine (Windows Event Reporting maybe) has installed a CA and is intercepting connections. Some people call this bad, or a MitM attack. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] SSL cert - CA issuer question - WIndows Eve… M K Saravanan
- Re: [TLS] SSL cert - CA issuer question - WIndows… Martin Thomson
- Re: [TLS] [EXTERNAL] Re: SSL cert - CA issuer que… Andrei Popov
- Re: [TLS] SSL cert - CA issuer question - WIndows… Bas Westerbaan
- Re: [TLS] SSL cert - CA issuer question - WIndows… M K Saravanan