[HowTo Guide] How to force users to install CA root certificate to gain access
-
Yeah, in "enterprise" environment you can life your paternalistic wet dreams.
I know some decent countries you go to jail for something like this MITM plot. And I'm proud of the respective legislation there.
Because I know that nerds like you are managing open WLAN I removed all wireless stuff completely from my computers. I don't want to get infected with this kind of malware just by the whims of some misanthrope "admins".
Hope you stay in your China-North Korea corner of the world and get happy there!
It's a shame to have such a thread in a security forum of an opensource firewall AT ALL.
-
Well if you have a better way to scan HTTPS traffic for malicious packets cmb then we are waiting to hear it. The fact that encrypted malware traffic can travel through networks to endpoints, and completely escape inspection, is also a massive security hole. It is not for you to make decision for other administrators about what is the greater threat, and you don't know the level of control they maintain over client systems.
You're talking about a scenario where you own the endpoints. If you own the systems and decide that's what you want to do, fine, as I already said.
OP's talking about a public access network, forcing people to create a serious security hole on their computers to use a public wifi network. That's unacceptable. There's a reason no one (else) does this.
-
Also about the "Dell root certificate" issue, I don't think that was a bad thing really.
However, the "Superfish root certificate" was a very bad thing to do.The major difference between these 2, is intent.
The dell root certificate was done for the users own good, to make updating the computer through a automated scheduled-updates tool, more easier, by having the software package drivers and updates client-side, and then "self-sign" them, so the system would not reject to install the drivers. Yes, there was a big flaw that compromised eavesdropping security on those computers, but still, it was not done for bad purposes, it was rather done to improve the security by making sure the computer always had the latest updates. It was just that the implementation was bad by having one certificate for all computers, instead of generating a unique certificate for each computer.
The Superfish certificate however, was a very bad thing. Extremely bad. The reason that was bad, is that the Superfish certificate was only made for one single purpose: To shove money into the wrong people's pockets, by showing third-party ads on websites. (Adware). That certificate would be bad even if they generated a unique one per computer.
Think like TSA locks. They compromise the security of people's bags because they are extremely easy to pick and the keys are leaked (link to news site) for a long time ago. And in the same way, regular locks are compromised too by using bolt cutters, so when the bag arrive at baggage, anyone can go through them and steal content or place contraband. But they do improve airport security because TSA officials can go through the bags for bombs. And I bet that if you would try to check in a safe, the TSA officials would demand you to give the code to the safe to check it. (and no, they won't allow you to open it in-person due to the classified areas that the inspection is made on, either you give the code or the safe, and you, is not getting aboard)
And if they don't want their content gone through by TSA officials, they don't need to use a Airport.
And in the same way:
If they don't want to install the certificate, they don't need to use my network. The certificate install isn't fully automatic, the user still needs to click on a link and then confirm a security warning, to install.Personally, I think eavesdropping (by untrusted parties, like hackers and such) are so uncommon, that eavesdropping security (encryption) can be safely traded for malware security (virus scanning), even if that makes eavesdropping by anyone possible.
When was the last time you heard somebody eavesdropping on a connection such as sensitive details could be stolen? Today, sensitive details are usually stolen via Phishing, and with the new Let's Encrypt, that is even made worser because now many phishing sites have that "Trusted lock" icon too, while it evade any Phishing filters (that do GET URL scanning).
When was the last time you heard someone was infected by a driveby download? I hear about it almost everyday.
Last time I got infected by a driveby was just about a month or two before I installed my 2.3 pfSense firewall (I even have the date in my event logs: 2016-03-10). It was a ad-supported forum, that opened a popup ad. A few seconds later, there was a lot of shortcuts on my desktop that Microsoft Edge had created, and then something started up that always showed a casino ad each time my computer started up, and also casino ads on every page (even this page).
Had to uninstall a lot of crap (lots of EXE's like uac_skip.exe and such in my Temp & system32 folder) and run antispyware, antivirus, and such. And as the "thing" modified browser components, it could display its ads even on SSL protected pages. I think the modification in my browser components are still there, but they are inactive now as the software that interfaces these modified browser components are gone.And no, I didnt' need to click on anything, everything just did itself fully automatic. And no, MSE didn't catch it either.
And THAT was a much more major compromise than even installing the eDellRoot certificate would be. Because that Adware could have keylogged my computer regardless of if it were, and sent all my details to completely untrusted indivuals, that would misuse the details to steal money.Now, with pfSense and good AV signatures, the same popup window on the same site is blocked by squidClamav. (some JS exploit it reports)
cmb: What would you choose?
That casino auto-download and no root certificate install.
Or, install my rootcertificate, and not get that casino auto-download.Personally, I would choose the second, even if that meant that my ISP or the hotspot im currently on, could read all my banking traffic. Because if I select a particular ISP, or a particular hotspot, I do it because I trust that ISP or hotspot. I would never sign up for a ISP or use a hotspot I didn't trust.
And I think same should apply for everyone. Don't use a ISP or hotspot if you don't fully trust the owners of that (in such a way that you would even trust them with your banking credentials).I Trust my ISP, and that why I choose them. I even sent my banking credentials to them when they couldn't find the payment for a bill, and allowed them to logon to my bank account. They finally found the payment when it turned out to be a misspelled reference ID.
I think people need to trust other people more, and not just blindly encrypt everything? Or what do you think?
-
I think you're insane. I don't trust anything outside my WAN interface. I don't trust much on the inside either. Lots of crypto there too.
I would disconnect the internet before I would install a trusted root cert from my ISP. I would NEVER EVER EVER trust a root cert from some wifi hotspot.
Wifi hotspots are some of the most notoriously insecure networks on the planet, but you say you trust them. Or at least you trust the ones you choose to use.
That casino auto-download and no root certificate install.
Or, install my rootcertificate, and not get that casino auto-download.Auto-download every single time. I'd rather get crypto locker than install your root cert. I don't need you to protect me, thank you very much.
-
Then we are quite different. Maybe its because my AS?
Why would you not trust your ISP? Why not change to a ISP you can trust?
I can understand however that you don't trust anything outside the WAN, as it are many hackers outside there that are constantly scanning for IPs and trying to get their things into everyone's computer.About hotspots, its exactly that. I select hotspots carefully. I don't blindly connect to "R4nd0mH0tsp0t" in a untrusted suburban area, but rather, I select good hotspots I know they are run by good indivuals, and have adequate security like fake hotspot detection and ARP spoofing prevention, which both McD, Espressohouse, my network (builtin my DAP-2695), and Telia hotspots in my local area do have. And also when im home at other people, I would only connect to their wifi if Im currently visiting someone I trust.
-
This here makes my worst dreams come true about the thinking/behavior of admins. Please tell me all this here is comedy. PLEAAAASE!
I'm not really sure, but even in Sweden (the land of Censilia Malmstöm https://en.wikipedia.org/wiki/Cecilia_Malmström) this should be illegal, after all….
-
cmb: What would you choose?
That casino auto-download and no root certificate install.
Or, install my rootcertificate, and not get that casino auto-download.Poll added. See top of thread.
-
Sebastian, after our PM exchange, I have to confess: I can't take this here serious any more. Sorry. Bye.
-
The NSA has a certificate they would like you to install…
-
@sebastiannielsen any chance you could send or share with me the php files that were removed here?
For those paranoid about SSL interception: Get a life, it's part of the Security portfolio security consultants have. DLP (data leakage protection) requires SSL inspection and there are quite a few commercial products out there who cater to SSL inspection and the monitoring/reporting/filtering that goes along with it. Legally it's in the same bracket as employers having access to your work email and CCTV warnings when entering buildings. If it happens it's covered by the IT policy employees sign up for and/or the term and conditions accepted when using guest access. Don't like it, then don't use it…
-
Lets just drop latest example of MITM idiocy here: https://bugs.chromium.org/p/project-zero/issues/detail?id=978
AVs/MITM makes you more secure? What a load of bullshit!!!
- http://www.forbes.com/sites/thomasbrewster/2017/01/25/trend-micro-security-exposed-200-flaws-hacked/#774bef8055d6
- https://googleprojectzero.blogspot.cz/2016/06/how-to-compromise-enterprise-endpoint.html
