Don't do SSL interception!
My employee has activated that bullshit on our company network recently and you cannot imagine how many things broke / do still not work.
We're wasting huge amounts of money and developer time just to fix stuff that was broken by our corporate IT just because somebody thought that MitM'ing all the things was a good idea.
It's a terrible idea and will cause tons of money to be burnt. Don't do it. Just don't. Esp if you're a technology company.
@thomas “But how are we going to inspect the traffic, filter out malware, and identify insider threats exfiltrating data then?” is what the infosec folks will say.
@thomas as someone working in IT-security, I can say that most 'Security' devices won't work as intended without intercepting SSL. The problem is known, but the IT-Security business is inherently broken. So things won't change for at least the next 5 years. Better be prepared to run in a lot of problem with 'state of the art' tooling.
@thomas Reminds me of a former employeer. "High-security" environment with the Start -> Run disabled, even for admins. we had to write scripts that just executed a terminal to get something usable.
And then I noticed in the browser I only got generic certificates, no ELV (those were still relevant back then). Went to a website to check what security it provided... the browser was new enough to not accept anything bad, but the mitm proxy accepted badly aged crypto.
Metalhead.club is a Mastodon instance hosted in Germany and powered by 100% green energy.