or How SSL Should Work
Enterprises are known to intercept and inspect SSL-protected employee web traffic- often without adequate understanding on the employee’s behalf- and almost certainly without the consent of the entity operating the server. The cases of Trustwave- TURKTRUST- and ANSSI show how the confidentiality of client-server communications is further threatened by the mounting abuse- misuse- incompetence- and compromise of trusted certificate authorities. Prior notice and the need to install custom root certificates are no longer technical hurdles impeding SSL interception.This talk will dispatch beliefs that SSL interception is only a client-side concern- and that addressing it using client-side certificates is impractical. We discuss how to leverage built-in browser and server-side capabilities- well-understood in academia but rarely used in practice- to achieve mutual client-server authentication. Using these techniques- the server- too- now has a say in whether its traffic can be intercepted and inspected.