nanog mailing list archives
Re: HTTPS redirects to HTTP for monitoring
From: Ca By <cb.list6 () gmail com>
Date: Sun, 18 Jan 2015 09:41:13 -0800
On Sunday, January 18, 2015, Ammar Zuberi <ammar () fastreturn net> wrote:
So your idea is to block every HTTPS website?
My idea is to provide secure internet and tell the truth about it. Proxying And mitm SSL/TLS is telling a lie to the end user and exposing them and the proxying organization to a great deal of liability. If you cannot provide proper transport of TLS/SSL, then tell your users that. Dont fake it and undermine the ecosystem. Proxying secure traffic is extremely dangerous, you are pretty much creating trap door in the bank vault. It is going to hurt when the hackers find it and you are going to Be liable for undermining all the secure communications for all your users. Your call. Ymmv. May be you are especially lucky and the hackers wont find this weak spot in your network where all the most important encrypted info (Perosal and corporate) suddenly becomes clear text. My advice, dont do mitm, you cant afford it. It is only a matter of Time when the hackers get this info and steal the identity And drain the bank accounts of all your users.
On 18 Jan 2015, at 6:48 pm, Ca By <cb.list6 () gmail com <javascript:;>>wrote:On Sunday, January 18, 2015, Grant Ridder <shortdudey123 () gmail com<javascript:;>> wrote:Hi Everyone, I wanted to see what opinions and thoughts were out there. Whatsoftware,appliances, or services are being used to monitor web traffic for "inappropriate" content on the SSL side of things? personal use? enterprise enterprise? It looks like Websense might do decryption ( http://community.websense.com/forums/t/3146.aspx) while Covenant Eyesdoessome sort of session hijack to redirect to non-ssl (atleast for Google)(https://twitter.com/CovenantEyes/status/451382865914105856). Thoughts on having a product that decrypts SSL traffic internally vs one that doesn't allow SSL to start with? -GrantIMHO, it would be better to just block the service and say the encrypted traffic is inconsistent with your policy instead of snooping it and exposing sensitive data to your middle box. These boxes that violate end to end encryption are a great place for hackers to steal the bank and identity info of everyone in your company. That sounds like a lot liablity to put on your shoulders. CB
Current thread:
- Re: HTTPS redirects to HTTP for monitoring, (continued)
- Re: HTTPS redirects to HTTP for monitoring nanog (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring John Levine (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring Ca By (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring John R. Levine (Jan 18)
- Message not available
- Re: HTTPS redirects to HTTP for monitoring Larry Sheldon (Jan 19)
- Re: HTTPS redirects to HTTP for monitoring John Levine (Jan 19)
- Re: HTTPS redirects to HTTP for monitoring William Waites (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring Kelly Setzer (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring Matt Palmer (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring Damian Menscher (Jan 19)
- Re: HTTPS redirects to HTTP for monitoring Ca By (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring Geoffrey Keating (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring Larry Sheldon (Jan 19)