How To Become A Fingerprint Service Provider

Secure browser connections can be intercepted and decrypted
by authorities who spoof the authentic site's certificate. But
the authentic site's fingerprint CANNOT be duplicated!

Fingerprinting 10 remote servers. . .

Custom Site Fingerprinting

In improver to the well-known web sites listed above, GRC's web server can obtain and display the "fingerprint" of any HTTPS-capable public web server'south secure connectedness document. Simply enter the domain proper name of the server you wish to fingerprint, and so press Enter or click the "Fingerprint Site" push:

What's this about?

The Internet is a cooperative PUBLIC Data NETWORK. Its data traffic flows effectually the earth freely, transported past an incredible variety of intermediate carriers. These carriers cooperate because they need each other equally: "I'll deport your traffic if you lot'll conduct mine." And the system works. But with all of this traffic zipping around all over the place, in full public view, how do we KNOW that nosotros are

actually

continued to our bank, our medical records database, or whatsoever other public or private website? Websites are (obviously) easy to create, so copying a popular website and redirecting traffic there would not exist difficult. And, unfortunately, the world has no shortage of people who would like to do that.

The original un-secured HTTP spider web connections never attempted to authenticate or encrypt their connections. Users who knew enough to wonder and worry could simply promise that they were actually interacting with the website they intended. And that was fine back when the Internet was only a curiosity. But the Internet has grown into a resources where people conduct business, identify orders, exchange stock, refer to their medical histories, perform their cyberbanking, and everything else—very much every bit they exercise in the physical earth. For the "cyber versions" of these activities to be feasible, users expect, need, and must take security and privacy.

The "S" added to the terminate of the "HTTP" ways SECURE.

(Or at to the lowest degree it was supposed to.)

The presence of the unbroken central or the lock icon on the spider web browser once meant that the connection betwixt the user and the remote web server was authenticated, secured, encrypted . . .and non susceptible to whatsoever form of eavesdropping by any third party. Unfortunately, that is no longer always true.

What happened?

To raise their users' security and privacy, an ever increasing number of spider web sites are switching from traditional "HTTP" to the more than secure "HTTPS" connections—similar THIS spider web page. This type of secured connection is known as SSL or TLS ("Secure Sockets Layer" and "Transport Layer Security") two names for the same thing. What's meaning is that the data sent back and forth over any HTTPS/SSL/TLS connection is encrypted by engineering no one knows how to break. Really, no one. Information technology'southward truly secure.

In the early days of the Net, the encryption provided by HTTPS connections was difficult and time consuming to establish, so these "expensive" connections were usually reserved for logging into a site (to protect the user'south name and password) or when submitting very sensitive information, such as private credit card numbers and purchasing information. Since HTTPS connections were one time used sparingly, anyone wishing to monitor, watch, record and log the actions of users on the Internet could practice so easily, but by eavesdropping on the data moving through the wires. Just equally technology has advanced, the price of employing unbreakable encryption for all connections has become feasible. So today more and more websites are switching to always using encrypted HTTPS connections.

This has been smashing for Net users, who await and want their use of the Internet to remain personal and private. But employers, educational institutions, and others accept become unhappy that their traditional network traffic monitoring and filtering is increasingly blinded by the growing use of HTTPS connection encryption. (The Us FBI refers to this as the "Going Nighttime Problem" since they, too, are able to see less and less of what's going on. For them, the Internet is "going nighttime" all effectually them.)

Private institutions—corporations, schools, and other organizations—have responded to this "loss of visibility" into every detail of their employees' and students' Internet usage by deploying new technology known as "HTTPS Proxy Appliances". These devices circumvent our most basic supposition and guarantee of Cyberspace browser privacy and security.

Net providers, public and individual, cannot control what
they cannot come across . . .and so they insist upon seeing everything.

How is this possible?

Written report the post-obit argument very carefully until you're sure yous understand what it is proverb. It is the key:

Spider web browsers trust the identity assertion made by a remote web
site when that site presents a certification of its identity that has
been signed past a higher authority that the browser already trusts.

Many years agone, the people at Netscape who developed the first popular web browser, invented a solution to both the need for Internet privacy (encryption) and security (hallmark). Their concept was elegant and simple and has endured to this day: A 3rd political party who we trust has assured us that our encrypted traffic is going merely to the website we intend. Here how that works:

At that place are entities known as "Certificate Authorities" (CA) to whom spider web sites prove their identity in the real physical world using incorporation documentation, Dun & Bradstreet records, their publicly known telephone numbers, and so along. When a spider web site has proven its identity with sufficient certainty, the Certificate Authorisation (CA) will put its reputation on the line by digitally signing the site's security certificate which contains an exclamation of its identity.

When an Internet browser establishes a secure connectedness with a remote site, that site must provide that signed document for the web browser'south inspection. The spider web browser already contains a (long) list of all the trusted and reputable document regime that be in the world. So the browser is able to verify the authenticity of the certificate provided by the spider web site by verifying that information technology was properly digitally signed by one of the many certificate authorities information technology trusts to sign website identity certificates.

How is this elegant organisation subverted?

Whatever corporation, educational institution, or other Internet connectivity provider who wishes to monitor every Internet action of its employees, students or users—every private user ID & password of every social networking or cyberbanking site they visit, their medical records, all "secure" eMail . . .EVERYTHING—merely arranges to add

one additional "Pseudo Certificate Dominance" to their users' browsers or computers

. It'south that simple.

Here's a 2013 existent-world example:

Nokia caught secretly decrypting mobile browser traffic: ZDNet reports
security researcher Gaurang Pandya'south discovery that the "secure" HTTPS traffic
from his web browser was being

decrypted

by Nokia's servers. (Run across the link.)Nokia's reason is valid: Encrypted information appears as pseudo-random dissonance and
cannot be compressed. Just they did this secretly and there's no style to disable
it. Opera'southward Mini browser does the aforementioned thing for the same reason, but makes it
optional and explains information technology clearly. And while Nokia says they would never pry, the
fact is that since they Can, in the U.s. they could be compelled to do so.

For example, suppose that "Bendover Industries" installs a commercially available "SSL Proxy" (also known as an HTTPS or TLS Proxy). And so, equally office of prepping computers for apply inside their network, Bendover'south IT department simply adds i additional "trusted" Certificate Authorization to each figurer. That's all it takes.

Now, whenever anyone inside Bendover'south network makes a "secure" connection to any remote public web site—their bank, Google Mail service, Facebook, anything—that connection is intercepted by Bendover'southward SSL Proxy appliance earlier it leaves the building. On-the-fly, the SSL Proxy Appliance creates a fraudulent "spoofed" web server document in order to impersonate the intended remote web site, and information technology signs that fraudulent certificate itself using the signature of the besides-fraudulent Certificate Authorisation that was previously planted inside the user's browser or estimator.

Because the impersonation is perfect, neither the browser nor the user can readily detect that they do non have a securely encrypted direct connection to the remote web site. Their browser shows every facet of a standard secured SSL connexion—all the locks and pretty colors and everything we accept been trained to look for and check for are present . . .

Instead of connecting to the remote web server, the browser is "securely" connected but to the local Proxy Appliance which is decrypting, inspecting, and logging all of the material sent from the browser. Information technology inspects all content to decide whether it abides by any arbitrary policies the local network is enforcing. It's users take NO privacy and NO security. Or peradventure it but silently logs & records everything for possible future demand. Either way, it has obtained full access to everything the user enters into their spider web browser.

A example in point: Blue Glaze Systems, Inc.

An older entry (2011-11-i) from Blue Point's blog
In this posting from more than than two years ago they explain how the spider web's increasing apply of SSL & TLS encryption [primarily for privacy, of course, which their technology violates] has made user activities more and more invisible. Quoting verbatim from the posting: There was a time when a spider web proxy that handled web pages in the clear covered almost all the web pages of interest for an organization'due south policy compliance. Today, webmail offerings routinely apply SSL encrypted logins and even maintain SSL connections for the spider web based email session. SSL is also used today wherever personal credentials are entered, whether information technology's a social networking site, shopping or other amusement site. Because of the widespread use of encryption on websites, making certain you use an SSL proxy (basically a proxy that can inspect and enforce policy around the contents within an SSL session) is more of import than always.
And speaking of "policy", here's their blog posting from 2013-01-18 where they make up one's mind to remove their "checkbox" for automatic detection and filtering of "LGBT" (Lesbian, Gay, Bisexual, Transgender) cloth. Quoting over again from the posting: Based in part on customer feedback, nosotros have decided to remove the LGBT category from Blue Glaze WebFilter. Content volition cease to be rated in the LGBT category effective immediately, and the category volition be removed from Blueish Coat WebFilter in the next production release.
This of course means that until now they have been offering to filter and alarm for LGBT content.

I take no position near the morality or ideals of this—though it would be rubber to say that as an abet for individual responsibility and privacy, I'k not a fan. I point it out merely to demonstrate that the privacy-invading technology does indeed be and is readily available to anyone who desires its deployment.

I created this folio to enable anyone to easily make up one's mind
whether and when SSL Interception is being used on them!

And from Microsoft:

Never to be left (far) behind, this dialog box presented by Microsoft'due south "Forefront Threat Direction Gateway" shows the options offered for "HTTPS Inspection." Note the warning near the lesser. They know this is slimy behavior:

Completing the lie:

Once the SSL Proxy Appliance has decrypted, inspected and judged the user'south content, it establishes a second secure connection to the remote web server—this time impersonating the user. Bold that the user'southward asking and information meet with the network's policies, or perhaps after having all been logged, the data is re-encrypted through the 2d connection to the remote web site . . .just as if nothing had happened.

Can this SSL Interception exist PREVENTED?

No. Merely it Tin exist reliably detected because it is Not POSSIBLE to COMPLETELY spoof Whatsoever security certificate!

Follow this logic carefully, it's the primal:

Public and Private keys form cryptographically matched pairs. Information technology is not feasible to derive 1 from the other, yet what one encrypts only the matching other can decrypt. Website SSL security certificates provide the site's Public cryptographic cardinal which is the public side of the server's secret Individual cryptographic key which is never publicly disclosed. Merely the certificate's public key tin be used to encrypt data which the remote server tin decrypt but using its matching private central. Since the SSL Proxy Apparatus does not have the private central of the remote server—considering only the remote server has it—the fake & fraudulent certificate the SSL Proxy provides to the user'due south web browser is forced to use a different public key for which information technology does have a matching individual cardinal. And that means that no matter how hard any SSL-intercepting Proxy Appliance may try to spoof and fake whatever other server's certificate, the certificate'south public key MUST BE DIFFERENT.

Hither comes the flake almost Fingerprints:

Anyone examining an SSL certificate (similar this page or your web browser) tin create a "cryptographic hash" or "digest" of the document'due south contents. Cryptographic hashes are complex mathematical algorithms which carefully process every unmarried chip of what they "digest." They have the amazingly property that

if even one scrap within the document is inverse

, an average of

half

of the fingerprint's hash bits volition change in response! In other words, when such a cryptographic hash is used to "fingerprint" a document any change, no matter how small, volition result in a COMPLETELY different fingerprint.

Fingerprints offering incredibly sensitive and strong detection of anything changed anywhere in a security document. Document fingerprints were originally based upon the "MD5" (Message Digest 5) hashing algorithm. Just over time researchers establish MD5 to be a bit weak in some special cases which might have been exploitable. So the entire manufacture (and this spider web site) has switched over to using the newer, stronger and even more secure "SHA1" (Secure Hashing Algorithm i) hashing algorithm.

Permit's bring information technology habitation . . .

All SSL-intercepting Proxy Appliances MUST provide a fraudulent spoofed certificate containing a public primal for which it has the matching private primal, and that private central cannot exist the aforementioned as the actual remote server'south because private keys are a closely held secret and no one knows any server'south private primal.

This means that no matter how much any SSL Proxy Appliance might want to duplicate a remote server's document . . .it cannot. It is impossible. And the document'south fingerprint, which can be easily viewed through any web browser'due south user-interface, completely gives abroad the lie:

The remote server's Existent document and the SSL Appliance'due south FAKED certificate MUST
Have AND Volition Accept radically different fingerprints. They volition not be remotely like.

And at present we know what this folio does!

YOUR spider web browser'southward Internet connection MAY exist intercepted by your employer, school, church, ISP or whatever organization is providing the Internet connection. But GRC'due south connection is Non beingness intercepted by anyone. We use the "Tier i" provider "Level 3" to connect straight to the Cyberspace Backbone with no third-party between u.s.a. and any remote website. And so, with this page, We can obtain whatever website'southward authentic HTTPS fingerprint to show you what it SHOULD Be.

THIS PAGE will only allow itself to be delivered from GRC over a secure and encrypted SSL connection. So your web browser will testify SOME SSL document fingerprint . . .simply will information technology be GRC's authentic fingerprint, shown here?:

7A:85:1C:F0:F6:9F:D0:CC:EA:EA:9A:88:01:96:BF:79:8C:E1:A8:33

The fingerprint of GRC's accurate security document

. . .or volition it be the necessarily dissimilar fingerprint of a fraudulent SSL interception certificate that was created for the deliberate purpose of attempting to fool yous and your spider web browser?

If you lot are currently—correct now—viewing this folio from within Any network that is intercepting and spoofing SSL connections (the dialog box above conspicuously shows that Microsoft offers this "feature"), and if THIS specific connection was intercepted, the fingerprint of GRC's accurate SSL security certificate shown to a higher place will NOT match the fingerprint shown past your web browser. And the same is true for whatsoever websites your local network may exist secretly intercepting.

Note that fingerprint Example and :Colons: do not affair:

The SHA1 fingerprint hash displayed by web browsers usually (just not always) apply UPPERCASE "hexadecimal" formatting, and normally (but not always) separate each pair of characters with a colon. That's why this web page chose that most common display format. If your browser uses lowercase and/or uses spaces instead of colons, those are only display choices and exercise not affect the fingerprint contents. So the following two fingerprints are IDENTICAL:

05:0A:A7:C3:5F:85:F0:A8:5B:fourteen:1D:B6:7F:67:8C:sixty:4F:2nd:DE:D3
05 0a a7 c3 5f 85 f0 a8 5b 14 1d b6 7f 67 8c sixty 4f 2d de d3

(So it is always condom to ignore the alphabetic case and colons.)

How to display this page'south (or any page's) SSL certificate fingerprint:

Each web browser is a chip unlike, but hither's where to (currently) find the certificate fingerprints in the more popular spider web browsers. (And y'all tin can probably figure this out for any others.)

Net Explorer:

Right-click somewhere on the page.
Select "Properties" at the lesser of the pop-upwards menu.
Click the "Certificates" button on the Backdrop page.
Verify that the "Issued to" name exactly matches what this GRC page shows.
Click the "Details" tab to alter views.
Set the "Show" selector to "<All>" if it isn't already.
Ringlet down to the end of the listing to "Thumbprint" (which is what Windows calls information technology).
Click on the "Thumbprint" particular to select information technology and bear witness the full thumbprint in the window.

Google Chrome:

Click on the padlock at the far left end of the URL address bar.
Select the "Connection" tab.
Click on "Certificate Information".
Verify that the "Issued to" name exactly matches what this GRC page shows.
Click the "Details" tab to alter views.
Set the "Show" selector to "<All>" if it isn't already.
Coil down to the end of the list to "Thumbprint" (which is what Windows calls it).
Click on the "Thumbprint" detail to select it and testify the total thumbprint in the window.

Mozilla Firefox:

Click on the padlock at the far left end of the URL address bar.
Click the More "Data..." push.
Click the "Security" icon/tab at the top of the "Page Info" dialog.
Click "View Certificate".
Verify that the certificate's name under "Mutual Proper noun (CN)" exactly matches what this GRC page shows.
The SHA1 fingerprint is shown under "Fingerprints".

Apple Safari:

Click the [https padlock] icon at the far left end of the URL address bar.
Click "Bear witness Certificate".
Click the arrow to expand the "Details"
Verify that the certificate's "Common Proper noun" exactly matches the name shown on the GRC page.
Scroll to the bottom to view the certificate'due south SHA1 Fingerprint.

The But WAY the SHA1 fingerprints can match, is if the certificate GRC just now
obtained DIRECTLY from the remote web server is IDENTICAL to the document
YOUR web browser also just obtained Direct from the remote web server.

Only IF this SSL page was intercepted, its document fingerprint volition HAVE TO BE DIFFERENT since authentic SSL certificates are impossible to perfectly duplicate.

A Crucially Important Spoofing Exception!!

While researching ways to assist our visitors verify their connection fingerprints, we hit upon one type of certificate which, when properly handled, equally they accept been in the Firefox and Chrome (and Chromium), just not Net Explorer . . . CANNOT BE SPOOFED at all!!

In Firefox and Chrome, only 100% authentic Extended Validation
(EV) certificates will display the extra "Green" indication!

This www.GRC.com web site e'er uses Extended Validation (EV) certificates. So if yous are viewing this EV site through a properly-designed web browser, such as Firefox or Chrome (merely not Internet Explorer, since Microsoft deliberately allows EV indications to be forged) and you DO see the special EV treatment in the address bar, then you lot KNOW your connectedness to United states is Not being intercepted (and too that this folio's contents have not been contradistinct!) But if the special EV indication is Not beingness displayed . . . and then yous instantly know that something IS intercepting and spoofing this web site'southward certificate!

Or to put it another way: If you are using Firefox or Chrome somewhere that never shows any EV certificates, so you ARE using a connectedness that is being intercepted, and your web browser is existence presented with deliberately fraudulent certificates . . .since EV certificates cannot be spoofed!

Note that because extended validation certificates are completely spoof-proof (nether Firefox and Chrome) we bear witness the true EV status for every fingerprinted site. This allows you to decide whether whatever site you select should be showing as EV in your Firefox or Chrome browser.

Delight come across our The Special Power of Extended Validation Spider web Site Certificates page for an in-depth discussion of the value and spoofing-resistance of extended validation certificates.

What tin go wrong with this test?

There ARE several things to consider:

Imitation-Positive Mismatches:

Smaller web sites, like this one (GRC) and those others listed in a higher place, deploy merely

one

security certificate on one or more than web servers (For example, our wonderful certificate provider, DigiCert, specifically allows usa to employ the same unmarried certificate on every bit many servers every bit necessary.)

But companies with a massive and widely distributed web presence, such equally Amazon or Google, may deploy many dissimilar security certificates beyond their many globally distributed servers and web sites. Multiple certificates may be easier for them to obtain and manage, and their security is not reduced. But information technology does hateful that non every user of their servers (like you and this GRC page) would necessarily obtain the aforementioned security document.

This means that a unproblematic comparison of certificate fingerprints could erroneously atomic number 82 people wishing to exam these huge websites to conclude that their connections were being intercepted, when they have simply received a dissimilar valid certificate than the one received and shown by this spider web page.

The best solution is to examination smaller sites that are known to exist using unmarried certificates, or sites using the completely unspoofable extended validation (EV) certificates with an EV-honoring spider web browser such as Firefox or Chrome (but not Internet Explorer, which doesn't properly verify EV certificates).

Machine-Resident Interception:

At least two anti-malware products — BitDefender and Kaspersky A/5 — operate as local HTTPS intercepting proxies. They obviously do this in club to browse the machine's secured and encrypted inbound web content for anything malicious. Just this is quite disturbing because, even though it's for a good purpose, there are other ways to access the content after it has been decrypted and earlier it reaches the spider web browser. So this incredibly intrusive and security-breaking approach is not necessary . And this besides has very negative side effects, such as breaking the display of all EV (extended validation) spider web sites. This is really bad. Since you are ALWAYS being intercepted, you lot can NEVER verify whether it's simply once . . .or more. (Note that I tin can and practise vouch for the value of Kaspersky as a terrific security threat research group. But this arroyo is wrong.) If it is possible to temporarily disable this aspect of their "protection", then you could perform remote interception testing while the local interception is disabled.

BitDefender Interception Configuration: Under "Settings" / "Privacy Control"
you will detect an on/off slider "Scan SSL" which tin can be used to temporarily or
permanently enable or disable this single aspect of BitDefender's functioning.

Note that since extended validation (EV) certificates cannot be spoofed, any use of these machine-resident connection intercepting systems will disable all extended validation document display.

Strange Web Server Configuration:

The only criteria for web servers is that they work, not that they necessarily brand much sense to users. For instance, these are the two Different certificates we receive for the wordpress.com domain with, and without, the "world wide web" prefix:

Domain Proper name	Certificate Name	Security Certificate's Authentic Fingerprint
wordpress.com	wordpress.com	7A:C1:B2:7E:09:FF:88:03:C3:E9:B7:4F:31:F4:Air conditioning:75:79:BA:66:E6

Domain Name	Certificate Proper name	Security Certificate'southward Authentic Fingerprint
www.wordpress.com	*.wordpress.com	7A:C1:B2:7E:09:FF:88:03:C3:E9:B7:4F:31:F4:Air-conditioning:75:79:BA:66:E6

As you tin see, depending upon how we ask for the certificate, with or without the "www" prefix, nosotros receive two entirely different certificates. They accept unlike certificate "Common Names" (Certificate Names) and, of course, radically different fingerprints.

The lesson here is that you MUST exist vigilant near comparing the "Document Name", besides known every bit the "Mutual Proper name" on the certificate with what this GRC page shows here to be sure you are examining and comparing the SAME document. The result of not existence careful, would be a "falsely positive" belief that SSL interception was occurring when it is not. And we don't want that.

The possibility of a "GRC Exception":

SSL-intercepting Proxy Appliances are highly configurable. In fact, in many cases the so-chosen "C-level" executives within a corporation—the CEO, CFO, CIO, CTO, COO, etc.—do non have their own SSL connections intercepted at all! Information technology's only the lowly and less trusted peons who need to be spied upon.

So, theoretically, specific web sites like this one could be excluded from SSL-interception, decryption and logging. Therefore, if THIS SSL Fingerprinting facility at GRC were to become popular, SSL-interception Proxies could make an exception and deliberately non intercept your browser's connections to GRC. Then the GRC fingerprints would match, and visitors would be atomic number 82 to falsely believe that NO OTHER connections were being intercepted.

IF WE Always Larn THAT THIS IS Existence Done
WE Volition IMMEDIATELY UPDATE THIS PAGE.

But that's why this page obtains the fingerprints for many of the summit spider web sites on the Internet . . .they would all need to be bypassed for your web browser to obtain the aforementioned fingerprint for them every bit GRC . . .which seems unlikely to be done. And that's also why we added the "Custom Site Fingerprinting" feature: Only you lot know which domains y'all desire to verify are NOT existence intercepted.

VERY unlikely, but needs to be mentioned . . .

In one case SSL Interception is occurring, the folio CONTENT beingness delivered over SSL can no longer be admittedly trusted. Since the pages are already being decrypted and scanned for content, nothing prevents them from also being contradistinct. What that means is, though it is incredibly unlikely, an SSL-intercepting Proxy Appliance could theoretically modify THIS page on the fly, before your web browser receives it. Such an alteration could replace the accurate fingerprints the GRC server has received and forwarded to your web browser with fraudulent fingerprints for the sites existence tested. (Simply at that place's a solution to that as well.)

IF WE Ever Larn THAT THIS IS BEING DONE
WE Will IMMEDIATELY UPDATE THIS Folio.

And remember that since GRC is 100% secured using Extended Validation (EV) certificates, if yous are viewing this site through a browser such every bit Firefox or Chrome, which properly validates EV certificates, and if you are seeing the special greenish EV display in your browser's address bar for this folio, and then the connection tin not possibly have been intercepted and altered. (See this folio for a total discussion of the special anti-spoofing power of extended validation certificates.)

But there's a solution to THAT as well!

All you need to do is go home (or anywhere that'southward unlikely to accept SSL interception in identify) and so bring up and impress merely the start page of this GRC Fingerprints page. Now yous'll have a handy hardcopy showing the authentic fingerprints of those tiptop popularity spider web sites shown at the top when this folio is showtime presented. Bring the printout back to where you're wondering about SSL interception and filtering. Bring up a few of those sites and compare their fingerprints to the handy printout. If they friction match, you know admittedly that they are NOT being filtered. And if they don't friction match . . .something fishy may well exist going on.

Additional Resources:

Ship the states any feedback, questions, thoughts, ideas, etc., near this HTTPS connection fingerprinting page.
Michael Horowitz'due south "Defensive Calculating" blog at ComputerWorld has a terrific and even more extensive explanation of this issue. If you're interested in reading more than about this, check it out!
Direct Domain Admission: Webmasters who wish to place links on their own sites to allow their visitors to exist assured of their connexion'due south privacy, may simply append the string "?domain=domain.name" to the finish of this page'southward URL. And so, for instance, to directly display the certificate fingerprint for "www.pbs.org", the URL would exist: https://www.grc.com/fingerprints.htm?domain=www.pbs.org
(click it and see)
A WIRED Magazine article discussing a device fabricated by "Parcel Forensics" for perpetrating exactly this sort of secretive connexion interception.
A comprehensive White Paper (1.27 mb PDF) which accompanied Jeff Jarmoc's presentation at the Black Lid Europe, March fourteen, 2012, briefing. Jeff'southward presentation and newspaper were titled: SSL/TLS Interception Proxies and Transitive Trust.
A Spanish language explanation of these ideas: Miguel Mollejo, a valued contributor to GRC'south public newsgroups, has thoughtfully produced a Spanish language caption of these ideas.