
Ask HN: SSL inspection needed to comply with GDPR? - theyinwhy
Security companies are urging to implement SSL inspection (and buy their products) to comply with GDPR as companies would need to mitigate data loss.<p>However, SSL inspection itself is violating GDPR as it effectively stores (mainly employees&#x27;) private passwords.<p>Is ssl inspection really needed to mitigate loss of data and a valid tool to comply with gdpr?
======
mgliwka
tl;dr: TLS inspection is just another tool in your toolbox to control your
corporate network traffic. While it might help to avert infections and detect
exfiltration traffic, it's by no means required by GDPR.

The reasoning for this is mostly:

Malware can use TLS to load malicious payloads and exfiltrate data + Data loss
and data breaches are targeted by GDPR => Decrypting the traffic let's you
detect the malicious activity and prevent the infection / notice the
exfiltration, which can help you staying GDPR compliant.

IANAL, but as long as it's a black box and the traffic doesn't get stored nor
is accessible, the logs don't contain any personal information and the users
are in the know about this processing, it should be okay.

------
757362
7 common misunderstandings about SSL encryption: separating fact from fiction
[https://gdpr.report/news/2017/07/11/7-common-
misunderstandin...](https://gdpr.report/news/2017/07/11/7-common-
misunderstandings-ssl-encryption-separating-fact-fiction/)

SSL Inspection is Imperative Under GDPR [https://www.a10networks.com/blog/ssl-
inspection-imperative-u...](https://www.a10networks.com/blog/ssl-inspection-
imperative-under-gdpr)

~~~
Spooky23
Any assertion backed by data from the Ponemon Institute is by definition
bullshit.

~~~
757362
I apologize for not researching the topic properly. :(

Here is an update for discussion Spooky23!

GDPR Controversial Topics [https://www.eugdpr.org/controversial-
topics.html](https://www.eugdpr.org/controversial-topics.html)

There was a post asking about SSL necessity for GDPR and I didn't research the
question properly.

If a website isn't payment orientated or doesn't hold sensitive information
(Ex. email, credit cards, addresses, forum etc.) Why would you need to invest
in SSL? Another?

How is the site coded? Ex. XHTML/HTML/CSS || Or CMS, PHP, JavaScript

Any feedback would greatly be appreciated!

