Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150501225815.GA628@openwall.com>
Date: Sat, 2 May 2015 01:58:15 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: On sanctioned MITMs

Hi,

I feel that this is borderline off-topic for oss-security because of no
specific relevance to Open Source, unless the discussion is somehow
refocused on aspects that are directly Open Source relevant - e.g.,
"should we block these CDNs (and how) in Open Source software's SSL/TLS
certificate validity checks because of those specific risks" - that's
just an example of what would bring the discussion on-topic for this
list, not an actual suggestion (I think such blocking would be bad).

On Fri, May 01, 2015 at 07:15:22PM +0000, mancha wrote:
> How should the security community view this growing use of sanctioned
> MITM in light of the ever-increasing amount of sensitive content sent
> over SSL/TLS encrypted channels (e.g. email, electronic banking, medical
> records, etc.)?

I will only address an aspect that is on-topic here:

I've recently received an off-list inquiry from a company in this space
(a "sanctioned MITM" software and appliance vendor) on how they can
request distros list membership.  My reply included:

"According to what you wrote, Company Name should not be on distros, so
I would recommend that you not make the request.  However, to have it
fairly discussed (or not, as several of the recent on-hold requests
haven't been discussed to a point of acceptance or rejection), and
hopefully rejected, please feel free to post to the oss-security list."

This highlights that if/once we accept some closed source distro vendors
to distros, the next round of headache will be inquiries/requests from
vendors like these - and in fact at that point this won't seem as
unreasonable as it does to me now.  This is (obvious and expected)
slippery slope.  This makes me sad.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.