Hacker News new | past | comments | ask | show | jobs | submit login

I am a little confused by the disparity between your statements and the statements here:

http://security.stackexchange.com/questions/2914/can-my-comp...

It sounds pretty clear to me that with some work on the adversary's part and lack of checking of the certificate chain, TLS can be subverted.




Websense doesn't break TLS or SSL or PKI. Websense abuses an organizations control over their own workstations to conduct a 'mitm' or 'proxy' of the TLS connection. It does that in a fairly straight forward manner.

Websense is used in organizations that distribute their own root ca key to the workstations behind it. The Websense machine is then given that root ca key and allowed to generate dynamic certs with it, so that a workstation with your organizational CA trusts them, but nobody on the regular inter webs will.

It's a really, really shitty way to do things, and effectively violates the trust of every user on your corporate network, but hey, they signed an agreement.


Thank you for the information.


Yes, if you don't check certificates you can subvert TLS. Also if you key your ciphers with zeroes. Don't do those things.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: