
The sorry state of TLS security in enterprise interception appliances - fanf2
https://arxiv.org/abs/1809.08729
======
jandrese
I had to look at some of these devices from a security standpoint and I was
shocked that they would resign a SSL connection without first checking that
the original certificate was good. They would accept anything even vaguely
certificate shaped and happily resign it with their own cert. Didn't matter if
it was expired, for the wrong domain, in a CRL, or even self signed.

I'm guessing this was for performance reasons, but it was a really shocking
disregard for the entire reason we are running TLS in the first place.

If your own workplace uses one of these DPI MITM TLS devices, I suggest you
hit up [https://badssl.com/dashboard/](https://badssl.com/dashboard/) and see
what it allows through. Some of these are configurable and you may be able to
convince your admins to fix some of the more egregious failures.

I was also doing this a few years ago, so hopefully the situation has improved
since then.

~~~
solatic
You're assuming that the people who buy these things care about security. They
don't, they care about creating a digital Panopticon. What happens to data
when it leaves the corporate network is irrelevant to their interests.

