
Ask HN: Does your company intercept HTTPS? What are alternatives? - codesuki
As the title says, I am curious whether this is usual and what are alternatives to HTTPS traffic interception to protect a company and for doing incident response &amp; analysis.
======
BjoernKW
I've worked for customers in the past who did this. For the most part it was a
huge hassle and didn't really help with incident response and analysis.

You have to install company root certificates on clients, perhaps even merely
self-signed ones if they've been particularly cheap and lazy. Then traffic
needs to be routed through a firewall / proxy as well.

This in turn can lead to issues with tools such as Maven or NPM. These issues
can be hard to debug.

Besides, if you don't know what you're doing - and most companies don't
specialise in network security - it's easy to get the setup wrong and create
major security problems.

Sometimes the motivation isn't so much protection against malware but rather a
petty desire to know what employees are doing.

For these reasons I'd strongly advise against this practice.

As for alternatives:

Follow and encourage the use of accepted best practices.

Educate and trust your employees about security.

------
Samon
Yep, we have proxy servers with SSL decryption/inspection. Root CA installed
on all company devices.

There are a number of whitelisted URLs (banks, and services that refuse to
work with a MITM'ed cert) but other than the initial headache during
implementation, it is pretty seamless now.

------
dmlittle
My current company doesn't do this but I'm curious how it is supposed to help
with incident response and analysis. Are you talking about server traffic or
employee laptop's traffic?

~~~
neapolisbeach
I can't speak to how common the practice is but it's often an option on
firewalls. My understanding of the reasoning behind it is that it allows the
company to monitor employees usage of the network to protect from data
exfiltration and malware that uses HTTPS.

It's usually done as part of a firewall that will MITM traffic on the network.

------
alltakendamned
This is a terrible practice with major security and privacy impacts.

And easily defeated by certificate pinning.

------
yellow_lead
Does this require installing a company cert?

~~~
codesuki
Yes, a root certificate afaik.

