maemo.org - Talk - View Single Post

	joerg_rw	2014-01-30 , 19:37
	Posts: 2,222 \| Thanked: 12,651 times \| Joined on Mar 2010 @ SOL 3	#4

Originally Posted by shawnjefferson

Of course, if you are the US gov, and you have forced google.com to just hand over their SSL private keys, you can just decrypt any SSL sessions for which you have packet captures. (Also another tool that corporate IT security departments use to protect their own web servers; SSL decryption and inspection at wire speeds.)

Err, see (EC)DHE and PFS aka "perfect forward secrecy" - it happens that google actually does use PFS
http://stackoverflow.com/questions/1...orward-secrecy

also:

joerg@saturn:~> openssl s_client -connect wiki.maemo.org:443
...
Cipher : DHE-RSA-AES256-GCM-SHA384

:-D

And no, your company's security team implements true MITM on your gateway to do SSL inspection, which nevertheless usually needs you to accept resp install the company's own root cert to your list of trusted certs.

__________________
Maemo Community Council member [2012-10, 2013-05, 2013-11, 2014-06 terms]
Hildon Foundation Council inaugural member.
MCe.V. foundation member

EX Hildon Foundation approved Maemo Administration Coordinator (stepped down due to bullying 2014-04-05)
aka "techstaff" - the guys who keep your infra running - Devotion to Duty http://xkcd.com/705/

IRC(freenode): DocScrutinizer*
First USB hostmode fanatic, father of H-E-N

Last edited by joerg_rw; 2014-01-30 at 19:55.

Quote & Reply |