HTTPS redirects to HTTP for monitoring

Tim Franklin tim at
Tue Jan 20 10:23:53 UTC 2015

> By the way, I hope that all of the people who have been ranting about
> this have read this note.  The only way this filtering works is if the
> client computers have a special CA cert installed into their browsers.
> That means it's a private organizational network that manages all its
> client computers, or it's a service where the users specifically do
> something on their own computers to enable it.

In the first instance, I'd still very much *want* the organisation to tell the users that the internal IT people are breaking their SSL, so please not to have any expectation that security is doing what you think it is.  While it's not an organisation I'd particularly enjoy working for, at least I then know not to do online banking in my lunch break, or similar.  Pushing out internal MITM CAs silently *is* still evil, in my view, although sadly closer to what I'd *expect* to happen.


More information about the NANOG mailing list