zlacker

[return to "BlueCoat and other proxies hang up during TLS 1.3"]
1. JoshTr+w[view] [source] 2017-02-28 01:38:28
>>codero+(OP)
Note that this happens even when using a BlueCoat proxy in non-MITM mode. BlueCoat tries to "analyze" TLS connections, and rejects anything it doesn't understand. This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

In this case, it doesn't sound like they're reverting it because of overall breakage, but rather because it breaks the tool that would otherwise be used to control TLS 1.3 trials and other configuration. Firefox had a similar issue, where they temporarily used more conservative settings for their updater than for the browser itself, to ensure that people could always obtain updates that might improve the situation.

◧◩
2. jessau+d2[view] [source] 2017-02-28 02:02:23
>>JoshTr+w
This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

Good grief! From David Benjamin's final comment:

Note these issues are always bugs in the middlebox products. TLS version negotiation is backwards compatible, so a correctly-implemented TLS-terminating proxy should not require changes to work in a TLS-1.3-capable ecosystem. It can simply speak TLS 1.2 at both client <-> proxy and proxy <-> server TLS connections. That these products broke is an indication of defects in their TLS implementations.

It's understandable that I've never heard of BlueCoat: clearly this product's success is based more on selling to executives than on quality, and it has been some time since I worked in an organization that had executives to sell to.

◧◩◪
3. semi-e+yl[view] [source] 2017-02-28 06:22:36
>>jessau+d2
There was a paper posted on HN a few weeks back by some pretty serious security researchers on the security risks of SSL MITM boxes.

https://jhalderm.com/pub/papers/interception-ndss17.pdf

How do you fix this when you're naught but a humble employee? Well, a friend of mine worked at a fairly large tech company where a salesguy for these boxes had convinced the CTO they had to have them. Every tech-person "on the floor" hated the idea, so before the boxes were installed they conspired on their free time to write some scripts that ran lots of legitimate HTTPS traffic, effectively DDOSing the boxes and bringing the company's internet to a crawl for the day, like Google would take ten seconds to open. Then obviously everyone (including the non-tech people) started calling the IT helpdesk complaining that the internet was broken. MITM box salesguy then had to come up with a revised solution, costing 20x more than his first offer, and that was the end of that.

If you already are suffering under MITM boxes, a similar strategy with a slow ramp-up in traffic might work.

◧◩◪◨
4. cm2187+ht[view] [source] 2017-02-28 08:18:07
>>semi-e+yl
Yeah. This is a firable offense. The solution to your company MITM your traffic is not to use your work computer for anything personal that matters. It's not like if we had a shortage of devices to connect to the internet.
◧◩◪◨⬒
5. semi-e+kB[view] [source] 2017-02-28 10:26:05
>>cm2187+ht
If you live in a third-world country (or the US) which lacks basic functions of society like employee protection, a sensible minimum wage, universal healthcare, paid parental leave, etc., then yes, I don't recommend doing what my friend did with employing a little "civil disobedience" in such cases.

TBH, for most techies I don't think opposition to MITM boxes comes down to "I don't want them to catch me looking at cat photos" but more along the lines of "this will actually reduce security as much as it improves it, and the companies providing these products are also aiding repressive regimes and human rights violations across the globe". Personally, I would find it unethical for the company I work for to buy these products.

◧◩◪◨⬒⬓
6. jamesp+iL[view] [source] 2017-02-28 12:41:37
>>semi-e+kB
What countries can you DoS your employers' network in?
[go to top]