Don't do SSL interception!

My employee has activated that bullshit on our company network recently and you cannot imagine how many things broke / do still not work.

We're wasting huge amounts of money and developer time just to fix stuff that was broken by our corporate IT just because somebody thought that MitM'ing all the things was a good idea.

It's a terrible idea and will cause tons of money to be burnt. Don't do it. Just don't. Esp if you're a technology company.

You might have a relatively relaxing time doing that in a pure office-oriented work environment. Browser and Email users won't care.

But engineers will notice and run in problems after problems. In a technology company hell will break loose. Don't do it. It's more than just bad taste.

@thomas and it does not really work in modern web with pinning and all the stuff...

@thomas @jr of course not. But try telling this the C-level people…

@thomas “But how are we going to inspect the traffic, filter out malware, and identify insider threats exfiltrating data then?” is what the infosec folks will say.

@thomas as someone working in IT-security, I can say that most 'Security' devices won't work as intended without intercepting SSL. The problem is known, but the IT-Security business is inherently broken. So things won't change for at least the next 5 years. Better be prepared to run in a lot of problem with 'state of the art' tooling.

@thomas Reminds me of a former employeer. "High-security" environment with the Start -> Run disabled, even for admins. we had to write scripts that just executed a terminal to get something usable.
And then I noticed in the browser I only got generic certificates, no ELV (those were still relevant back then). Went to a website to check what security it provided... the browser was new enough to not accept anything bad, but the mitm proxy accepted badly aged crypto.

@thomas creative idiots are the worst kind: they create the most complicated problems out of thin air. many managers have this capability.

@thomas it's almost like SSL/TLS was designed to protect against MitM attacks 🤔

Sign in to participate in the conversation
\m/ \m/ is a Mastodon instance hosted in Germany and powered by 100% green energy.