Cloud Middleman

Security Concepts: Why can't I hold all these certificates?

Here at Cloud Middleman, security is our top priority, as one might demand of a service whose function is to spy on your internet traffic. We need to make sure that all connections are correctly authenticated and encrypted so that only your device and our service can read them. And the best way to do that is to employ public key certificates.

For each device that you create in the Cloud Middleman dashboard, we issue you a certificate and private key signed by our Certificate Authority. Our VPN is configured to accept these certificates as authentication, so be sure to keep them safe.

After you've connected, we simply proxy all your connections: that is, we take all your traffic, make a note of your request, send it to where it was going and get the response, save that too, and then send the response to your device.

This works just fine for unencrypted traffic, but if you're up on your SSL/TLS, you'll recognize that these are exactly the sort of shenanigans that https websites are supposed to prevent. That's why we also have you install our Certificate Authority cert as a trusted root certificate. (If you have a domain whitelist, we'll whip you up a special Restricted CA certificate -- otherwise, we'll link you to our general-purpose root CA certificate)

When your device sends a request to (and if you've requested that be logged), Cloud Middleman generates a certificate for , issued by our CA. Since your device is configured to trust this CA, your device accepts this and carries on sending the encrypted request (encrypted with the shared secret it established with Cloud Middleman, that is). In the meantime, Cloud Middleman establishes its own encrypted channel to the real , and everything can proceed as before (but with all traffic encrypted).

So, now you know what all those certificates are about.

(If you want to learn more about how public-key cryptography works, this is my favorite introductory video on the topic).