Cloud Middleman

Security Concepts: Restricted Domain Certificates

Keeping us safe from intruders, and you safe from us.

In a certain way of thinking, there are two kinds of device profile you can create in Cloud Middleman: those with domain restrictions, and those without.

For devices without domain whitelists, we have you install our general-purpose Certificate Authority, which we then use to spoof certificates for all your traffic. If you have a proper understanding of all the words in the previous sentence, your reaction should be a sensation of suspicion and/or discomfort. Luckily, there's a way we can log the traffic you want us to, without obtaining blanket permission from your device to do so for all domains.

When you create a domain-restricted device, we will generate a special CA certificate just for that device. The certificate will be marked as a CA but disallowed from issuing certificates. It also contains a Subject Alternative Name constraint on the domains that you provided (along with any subdomains).

The downside is, you need to install a new CA for every device profile you create. The upside is, even if we did attempt to snoop on your traffic on any domain not listed in the certificate, we would be prevented by the magic of cryptography from doing so. Your browser (or other http client) would simply fail the SSL handshake before sending any data (not even the url). So, when you have a domain list on your device profile, the proxy will instead use standard HTTPS proxying to tunnel your traffic directly to the endpoint. No logging, no snooping, no problem.

"Ah," some of you say, "but what of the VPN authentication CA that I'm made to install as a root?" That's very astute of you, Windows user. Unlike other operating systems, Windows won't let us get away with just using the device cert that we issue you for VPN auth; it requires the full chain before it will deign to use it. So, we make Windows users install the Cloud Middleman Client Auth Root and Intermediate certificates to fulfill this requirement. However, if you inspect these certificates, you will find that they are restricted to use (via EKU constraints) for Client Auth and IKE Intermediate only. Thus, Windows will not trust a Server Authentication certificate issued by these CAs.