HTTPS redirects to HTTP for monitoring

Ca By cb.list6 at
Sun Jan 18 17:41:13 UTC 2015

On Sunday, January 18, 2015, Ammar Zuberi <ammar at> wrote:

> So your idea is to block every HTTPS website?
My idea is to provide secure internet and tell the truth about it.

Proxying And mitm  SSL/TLS is telling a lie to the end user and exposing
them and the proxying organization to a great deal of liability.

If you cannot provide proper transport of TLS/SSL, then tell your users
that. Dont fake it and undermine the ecosystem.

Proxying secure traffic is extremely dangerous, you are pretty much
creating trap door in the bank vault.  It is going to hurt when the hackers
find it and you are going to  Be liable for undermining all the secure
communications for all your users.

Your call. Ymmv. May be you are especially lucky and the hackers wont find
this weak spot in your network where all the most important encrypted info
(Perosal and corporate) suddenly becomes clear text.

My advice, dont do mitm, you cant afford it. It is only a matter of
Time when the hackers get this info and steal the identity And drain the
bank accounts  of all your users.

> > On 18 Jan 2015, at 6:48 pm, Ca By <cb.list6 at <javascript:;>>
> wrote:
> >
> >> On Sunday, January 18, 2015, Grant Ridder <shortdudey123 at
> <javascript:;>> wrote:
> >>
> >> Hi Everyone,
> >>
> >> I wanted to see what opinions and thoughts were out there.  What
> software,
> >> appliances, or services are being used to monitor web traffic for
> >> "inappropriate" content on the SSL side of things?  personal use?
> >> enterprise enterprise?
> >>
> >> It looks like Websense might do decryption (
> >> while Covenant Eyes
> does
> >> some sort of session hijack to redirect to non-ssl (atleast for Google)
> (
> >>
> >>
> >> Thoughts on having a product that decrypts SSL traffic internally vs one
> >> that doesn't allow SSL to start with?
> >>
> >> -Grant
> >
> > IMHO, it would be better to just block the service and say the encrypted
> > traffic is inconsistent with your policy instead of snooping it and
> > exposing sensitive data to your middle box.
> >
> > These boxes that violate end to end encryption are a great place for
> > hackers to steal the bank and identity info of everyone in your company.
> >
> > That sounds like a lot liablity to put on your shoulders.
> >
> > CB

More information about the NANOG mailing list