zlacker

[return to "BlueCoat and other proxies hang up during TLS 1.3"]
1. JoshTr+w[view] [source] 2017-02-28 01:38:28
>>codero+(OP)
Note that this happens even when using a BlueCoat proxy in non-MITM mode. BlueCoat tries to "analyze" TLS connections, and rejects anything it doesn't understand. This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

In this case, it doesn't sound like they're reverting it because of overall breakage, but rather because it breaks the tool that would otherwise be used to control TLS 1.3 trials and other configuration. Firefox had a similar issue, where they temporarily used more conservative settings for their updater than for the browser itself, to ensure that people could always obtain updates that might improve the situation.

◧◩
2. mrmond+w1[view] [source] 2017-02-28 01:53:28
>>JoshTr+w
BlueCoat are an incredibly evil company that are breaking the internet.
◧◩◪
3. rossy+Y7[view] [source] 2017-02-28 03:21:33
>>mrmond+w1
BlueCoat makes me cry. We have an application running inside the firewall of one of our clients that communicates with a HTTPS REST API hosted by a server in our datacenter. The connection must be encrypted because it handles confidential information, but when it passes through BlueCoat's TLS proxy, the Authorization header gets mangled and it can't authenticate against our backend. Higher-ups decided that it would be better to try to convince the client to let our app bypass their proxy than to implement a custom workaround for BlueCoat users, but the client never let us through, so the only solution we could implement involved manually SCPing the required data between client and server.
◧◩◪◨
4. reacwe+Ex[view] [source] 2017-02-28 09:23:01
>>rossy+Y7
Ssh is almost often available to connect through the firewall. Do IT people understand how easily you can work around proxy using ssh ? Just start a vm in the cloud (like a C1 at scaleway for 3.6€ per month), install squid (with default options). On your PC, run portable applications: putty connected to your vm with a forward of proxy port and portable firefox configured to use your forwarded proxy.
◧◩◪◨⬒
5. jamesp+wL[view] [source] 2017-02-28 12:44:16
>>reacwe+Ex
Why would anyone competent allow unrestricted ssh through the corporate firewall?
◧◩◪◨⬒⬓
6. simias+KN[view] [source] 2017-02-28 13:13:30
>>jamesp+wL
In my experience many companies simply filter based on port number. Run your external sshd/openvpn on port 80 and you're good to go. But of course that's going off topic since TFA is obviously about middleboxes actually intercepting and analyzing the traffic.

In truth though if you start considering your employees like the enemy it's just a never ending upwards battle, especially if your employees are comp-sci folks. You could tunnel SSH over HTTP or even DNS if you cared enough.

◧◩◪◨⬒⬓⬔
7. daxelr+Fm1[view] [source] 2017-02-28 17:41:20
>>simias+KN
How does the threat model where employees are the enemy differ from the threat model where malware running inside the network is the enemy?
[go to top]