Date: Sat, 2 May 2015 01:58:15 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: On sanctioned MITMs Hi, I feel that this is borderline off-topic for oss-security because of no specific relevance to Open Source, unless the discussion is somehow refocused on aspects that are directly Open Source relevant - e.g., "should we block these CDNs (and how) in Open Source software's SSL/TLS certificate validity checks because of those specific risks" - that's just an example of what would bring the discussion on-topic for this list, not an actual suggestion (I think such blocking would be bad). On Fri, May 01, 2015 at 07:15:22PM +0000, mancha wrote: > How should the security community view this growing use of sanctioned > MITM in light of the ever-increasing amount of sensitive content sent > over SSL/TLS encrypted channels (e.g. email, electronic banking, medical > records, etc.)? I will only address an aspect that is on-topic here: I've recently received an off-list inquiry from a company in this space (a "sanctioned MITM" software and appliance vendor) on how they can request distros list membership. My reply included: "According to what you wrote, Company Name should not be on distros, so I would recommend that you not make the request. However, to have it fairly discussed (or not, as several of the recent on-hold requests haven't been discussed to a point of acceptance or rejection), and hopefully rejected, please feel free to post to the oss-security list." This highlights that if/once we accept some closed source distro vendors to distros, the next round of headache will be inquiries/requests from vendors like these - and in fact at that point this won't seem as unreasonable as it does to me now. This is (obvious and expected) slippery slope. This makes me sad. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ