Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 2 May 2015 01:58:15 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: On sanctioned MITMs

Hi,

I feel that this is borderline off-topic for oss-security because of no
specific relevance to Open Source, unless the discussion is somehow
refocused on aspects that are directly Open Source relevant - e.g.,
"should we block these CDNs (and how) in Open Source software's SSL/TLS
certificate validity checks because of those specific risks" - that's
just an example of what would bring the discussion on-topic for this
list, not an actual suggestion (I think such blocking would be bad).

On Fri, May 01, 2015 at 07:15:22PM +0000, mancha wrote:
> How should the security community view this growing use of sanctioned
> MITM in light of the ever-increasing amount of sensitive content sent
> over SSL/TLS encrypted channels (e.g. email, electronic banking, medical
> records, etc.)?

I will only address an aspect that is on-topic here:

I've recently received an off-list inquiry from a company in this space
(a "sanctioned MITM" software and appliance vendor) on how they can
request distros list membership.  My reply included:

"According to what you wrote, Company Name should not be on distros, so
I would recommend that you not make the request.  However, to have it
fairly discussed (or not, as several of the recent on-hold requests
haven't been discussed to a point of acceptance or rejection), and
hopefully rejected, please feel free to post to the oss-security list."

This highlights that if/once we accept some closed source distro vendors
to distros, the next round of headache will be inquiries/requests from
vendors like these - and in fact at that point this won't seem as
unreasonable as it does to me now.  This is (obvious and expected)
slippery slope.  This makes me sad.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.