nanog mailing list archives

Re: HTTPS redirects to HTTP for monitoring

From: Ca By <cb.list6 () gmail com>
Date: Sun, 18 Jan 2015 09:41:13 -0800

On Sunday, January 18, 2015, Ammar Zuberi <ammar () fastreturn net> wrote:

So your idea is to block every HTTPS website?

My idea is to provide secure internet and tell the truth about it.

Proxying And mitm  SSL/TLS is telling a lie to the end user and exposing
them and the proxying organization to a great deal of liability.

If you cannot provide proper transport of TLS/SSL, then tell your users
that. Dont fake it and undermine the ecosystem.

Proxying secure traffic is extremely dangerous, you are pretty much
creating trap door in the bank vault.  It is going to hurt when the hackers
find it and you are going to  Be liable for undermining all the secure
communications for all your users.

Your call. Ymmv. May be you are especially lucky and the hackers wont find
this weak spot in your network where all the most important encrypted info
(Perosal and corporate) suddenly becomes clear text.

My advice, dont do mitm, you cant afford it. It is only a matter of
Time when the hackers get this info and steal the identity And drain the
bank accounts  of all your users.

On 18 Jan 2015, at 6:48 pm, Ca By <cb.list6 () gmail com <javascript:;>>

wrote:

On Sunday, January 18, 2015, Grant Ridder <shortdudey123 () gmail com

<javascript:;>> wrote:


Hi Everyone,

I wanted to see what opinions and thoughts were out there.  What

software,

appliances, or services are being used to monitor web traffic for
"inappropriate" content on the SSL side of things?  personal use?
enterprise enterprise?

It looks like Websense might do decryption (
http://community.websense.com/forums/t/3146.aspx) while Covenant Eyes

does

some sort of session hijack to redirect to non-ssl (atleast for Google)

https://twitter.com/CovenantEyes/status/451382865914105856).

Thoughts on having a product that decrypts SSL traffic internally vs one
that doesn't allow SSL to start with?

-Grant


IMHO, it would be better to just block the service and say the encrypted
traffic is inconsistent with your policy instead of snooping it and
exposing sensitive data to your middle box.

These boxes that violate end to end encryption are a great place for
hackers to steal the bank and identity info of everyone in your company.

That sounds like a lot liablity to put on your shoulders.

CB

Current thread:

Re: HTTPS redirects to HTTP for monitoring, (continued)
- - - Re: HTTPS redirects to HTTP for monitoring nanog (Jan 18)
    - Re: HTTPS redirects to HTTP for monitoring John Levine (Jan 18)
    - Re: HTTPS redirects to HTTP for monitoring Ca By (Jan 18)
    - Re: HTTPS redirects to HTTP for monitoring John R. Levine (Jan 18)
    - Message not available
    - Re: HTTPS redirects to HTTP for monitoring Larry Sheldon (Jan 19)
    - Re: HTTPS redirects to HTTP for monitoring John Levine (Jan 19)
    - Re: HTTPS redirects to HTTP for monitoring William Waites (Jan 18)
    - Re: HTTPS redirects to HTTP for monitoring Kelly Setzer (Jan 18)
    - Re: HTTPS redirects to HTTP for monitoring Matt Palmer (Jan 18)
    - Re: HTTPS redirects to HTTP for monitoring Damian Menscher (Jan 19)
    - Re: HTTPS redirects to HTTP for monitoring Ca By (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring chris (Jan 18)
  - Re: HTTPS redirects to HTTP for monitoring Geoffrey Keating (Jan 18)
- Re: HTTPS redirects to HTTP for monitoring William Herrin (Jan 18)
- RE: HTTPS redirects to HTTP for monitoring Teleric Team (Jan 18)
- Message not available
  - Re: HTTPS redirects to HTTP for monitoring Larry Sheldon (Jan 19)