[Live-devel] RTSPS and PKI

Warren Young warren at etr-usa.com
Tue Jul 22 08:25:58 PDT 2025 

On Jul 21, 2025, at 15:34, Ross Finlayson <finlayson at live555.com> wrote:
> 
> First you note that client-side certificates can be used to implement snooping.

You misunderstood what I wrote, and I attempted to correct that in the prior email, which you are now perceiving as me saying two incompatible things.

I will try one more time.

The required setup for a “corporate security gateway” (a.k.a. snooping middlebox) includes these steps:

1. The middlebox mints a self-signed CA signing certificate.

2. Site IT arranges for its public half to be installed into the root CA trust stores of all site PCs, mobiles, tablets…

3. Site network admins force all 443 traffic to the middlebox.

When a client in this regime connects to, let us say google.com, the connection goes to the middlebox, which then *manufactures on the fly* a TLS cert for google.com, signed by its own CA root cert, causing the client to *mistakenly* trust that it is talking to Google, because the TLS cert was signed by a CA it was told to trust by site IT. The client therefore proceeds to issue its HTTP request.

The middlebox takes that and contacts the actual google.com servers, pulls the requested URL, inspects the content to determine if it is willing to forward it, and only then reencrypts it under the bogus google.com certificate it previously produced. The client trusts this reply for the same reason it allowed the TLS setup.

Client certificates defeat this scheme for servers that require them, because the middlebox is unlikely to have copies of both halves of every client-side cert.

Consider the BYOD case: site IT can demand that all employees put the middlebox CA cert onto their devices as a precondition to allowing access to the Internet — limited to approved sites, of course — but while they can _try_ to get the employee to give up client-side certs for all the apps on that phone as well, this will not be 100% effective in an organization of any significant size.

One of two things then happens:

1. The middlebox drops the connection because it cannot impersonate the client, cluing the BYOD owner in that something is hinky.

2. The middlebox passes the connection through without meddling, end user value triumphing over centralized snooping.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20250722/f82a0a82/attachment.htm>

More information about the live-devel mailing list