HTTPS redirects to HTTP for monitoring
cb.list6 at gmail.com
Sun Jan 18 17:41:13 UTC 2015
On Sunday, January 18, 2015, Ammar Zuberi <ammar at fastreturn.net> wrote:
> So your idea is to block every HTTPS website?
My idea is to provide secure internet and tell the truth about it.
Proxying And mitm SSL/TLS is telling a lie to the end user and exposing
them and the proxying organization to a great deal of liability.
If you cannot provide proper transport of TLS/SSL, then tell your users
that. Dont fake it and undermine the ecosystem.
Proxying secure traffic is extremely dangerous, you are pretty much
creating trap door in the bank vault. It is going to hurt when the hackers
find it and you are going to Be liable for undermining all the secure
communications for all your users.
Your call. Ymmv. May be you are especially lucky and the hackers wont find
this weak spot in your network where all the most important encrypted info
(Perosal and corporate) suddenly becomes clear text.
My advice, dont do mitm, you cant afford it. It is only a matter of
Time when the hackers get this info and steal the identity And drain the
bank accounts of all your users.
> >> On Sunday, January 18, 2015, Grant Ridder <shortdudey123 at gmail.com
> >> Hi Everyone,
> >> I wanted to see what opinions and thoughts were out there. What
> >> appliances, or services are being used to monitor web traffic for
> >> "inappropriate" content on the SSL side of things? personal use?
> >> enterprise enterprise?
> >> It looks like Websense might do decryption (
> >> http://community.websense.com/forums/t/3146.aspx) while Covenant Eyes
> >> some sort of session hijack to redirect to non-ssl (atleast for Google)
> >> https://twitter.com/CovenantEyes/status/451382865914105856).
> >> Thoughts on having a product that decrypts SSL traffic internally vs one
> >> that doesn't allow SSL to start with?
> >> -Grant
> > IMHO, it would be better to just block the service and say the encrypted
> > traffic is inconsistent with your policy instead of snooping it and
> > exposing sensitive data to your middle box.
> > These boxes that violate end to end encryption are a great place for
> > hackers to steal the bank and identity info of everyone in your company.
> > That sounds like a lot liablity to put on your shoulders.
> > CB
More information about the NANOG