Slashdot Mirror
Some HTTPS Inspection Tools Actually Weaken Security (itworld.com)
America's Department of Homeland Security issued a new warning this week. An anonymous reader quotes IT World:
Companies that use security products to inspect HTTPS traffic might inadvertently make their users' encrypted connections less secure and expose them to man-in-the-middle attacks, the U.S. Computer Emergency Readiness Team warns. US-CERT, a division of the Department of Homeland Security, published an advisory after a recent survey showed that HTTPS inspection products don't mirror the security attributes of the original connections between clients and servers. "All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected," US-CERT said in its alert.
Slashdot reader msm1267 quotes Threatpost: HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server... The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
Slashdot reader msm1267 quotes Threatpost: HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server... The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
Just to make sure i'm clear here...
Are saying; that only IT groups that are serious about security, allow unknown encrypted data to pass out the perimeter with no regard to what could be present in it? Are you saying that IT groups should just accept the risk of data being ex filtrated over these unknown encrypted connections? What about C2 traffic?
As someone who regularly performs Security Assessments and Penetration Tests for the Financial Industry in the US... I would say that's rather naive...
There is absolutely ZERO expectation of privacy when using an asset that is provided by your employer.
Any IT group who is serious about decreasing their attack surface, knows that solution's like this are imperative to the overall security posture of the organization. Any IT department who is serious about protecting the organization knows; you just cannot allow unknown encrypted data to leave the network at the will of an employee.
The IT department doesn't give one fuck about your privacy.... as they shouldn't.
Its IT's job to protect the business from technology, and ensure that it has the tools and solutions in place to achieve the organizations business requirements. Yes, this includes middling SSL and TLS connections to ensure that company data is not leaking out of the perimeter.
If you don't want the IT department decrypting their data as it leaves their network; use your smartphone instead.