zlacker

[return to "BlueCoat and other proxies hang up during TLS 1.3"]
1. JoshTr+w[view] [source] 2017-02-28 01:38:28
>>codero+(OP)
Note that this happens even when using a BlueCoat proxy in non-MITM mode. BlueCoat tries to "analyze" TLS connections, and rejects anything it doesn't understand. This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

In this case, it doesn't sound like they're reverting it because of overall breakage, but rather because it breaks the tool that would otherwise be used to control TLS 1.3 trials and other configuration. Firefox had a similar issue, where they temporarily used more conservative settings for their updater than for the browser itself, to ensure that people could always obtain updates that might improve the situation.

◧◩
2. jessau+d2[view] [source] 2017-02-28 02:02:23
>>JoshTr+w
This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

Good grief! From David Benjamin's final comment:

Note these issues are always bugs in the middlebox products. TLS version negotiation is backwards compatible, so a correctly-implemented TLS-terminating proxy should not require changes to work in a TLS-1.3-capable ecosystem. It can simply speak TLS 1.2 at both client <-> proxy and proxy <-> server TLS connections. That these products broke is an indication of defects in their TLS implementations.

It's understandable that I've never heard of BlueCoat: clearly this product's success is based more on selling to executives than on quality, and it has been some time since I worked in an organization that had executives to sell to.

◧◩◪
3. skywho+nM[view] [source] 2017-02-28 12:56:50
>>jessau+d2
The entire use case of BlueCoat and the like is to satisfy executives' desire to spy on all usage of their network. It's certainly not to benefit the users who are stuck behind it, to increase their security, or to give them a better Internet experience.
◧◩◪◨
4. 794CD0+dX[view] [source] 2017-02-28 14:46:21
>>skywho+nM
Fuck the users. If users had their way, they'd have all the local administrator privileges they wanted so that they could download malware to their heart's content. From a non-IT perspective, they would also be free to download porn, potentially child porn, which is a crime to merely possess, and exfiltrate terabytes of company secrets.
[go to top]