SSL Man-in-the-middle

Again a great "Security Now" podcast about SSL: how governments can sniff SSL traffic by enforcing Certificate Authorities to provide them with (intermediate CA) certificates. Based on this paper. Great story, recommended reading or listening!

Some things that I picked up:

• Different CA's can provide you with SSL certificate for same URL (or whatever)
• Internet Explorer (actually the Windows crypto) downloads extra CA's dynamically; so the list you see in IE can grow behind the scenes
• Firefox manages the list of trusted CA's itself
• There is no standard policy for when a CA is accepted by browser vendors
  
• The list of trusted CA's should be based on your geographical location
• Trusting a CA is somewhat equivalent to trusting a government
  
• Browser should provide (advanced) users with extra features to help them decide if CA certificate should be trusted or not

In my daytime job, SSL/TLS is used a lot for communication between IT systems within the corporate firewall or with business partners across the Internet. Low level configuration of SSL/TLS is often not supported:

• Configure single CA (or self-signed) cert to be trusted for specific outbound connection (e.g. when business partners have defined their "own CA")
• Different SSL client certificate per outbound connection
  
• Easy configuration revocation checks (OCSP etc); and checking if the revocation checks actually work
• Different timeout settings per connection
  
• Only accept SSL connections on specific interfaces