Introducing Restricted Certificates
You may have noticed that Cloud Middleman lets you pick certain domains to log. This is well and good if you presume that we are trustworthy folks with no ulterior motives, and if you do think that then thank you, but we wanted to do better.
That’s why we’re introducing Restricted CA certificates for use with domain-restricted devices
What’s different?
In the unrestricted case, we have you install our Certificate Authority certificate as a trusted root. This gives us the ability to issue certificates for any domain that your device will trust.
Any domain.
ANY DOMAIN.
As developers of this software, we’ve discovered that it’s really easy to forget about the VPN connection and leave it on. In this case, all of your devices traffic, regardless of domain, flows through our servers which we understand might make some uncomfortable.
BUT NO LONGER!
Enter our new domain-restricted CA. For future domain-restricted devices that you create, we will generate a special certificate, valid only for decrypting those domains. (Nerd talk: The certificate contains a Subject Alternative Name constraint containing <domain.tld> and *.<domain.tld> only).
For devices configured with domain restrictions, we will perform standard HTTPS tunnelling — the kind where we can’t see your traffic — for any domains not listed, and only MITM the domains you asked with the generated certificate (which you can inspect for yourself before installing it). If we went mad with power and tried to use this certificate for a domain not included in its list, your browser or app would simply fail the SSL handshake before sending any compromising bytes through the connection.
In closing, you should use this feature.
