zlacker

[return to "BlueCoat and other proxies hang up during TLS 1.3"]
1. JoshTr+w[view] [source] 2017-02-28 01:38:28
>>codero+(OP)
Note that this happens even when using a BlueCoat proxy in non-MITM mode. BlueCoat tries to "analyze" TLS connections, and rejects anything it doesn't understand. This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

In this case, it doesn't sound like they're reverting it because of overall breakage, but rather because it breaks the tool that would otherwise be used to control TLS 1.3 trials and other configuration. Firefox had a similar issue, where they temporarily used more conservative settings for their updater than for the browser itself, to ensure that people could always obtain updates that might improve the situation.

◧◩
2. jessau+d2[view] [source] 2017-02-28 02:02:23
>>JoshTr+w
This exact issue occurred with TLS 1.2 back when BlueCoat only understood 1.1/1.0.

Good grief! From David Benjamin's final comment:

Note these issues are always bugs in the middlebox products. TLS version negotiation is backwards compatible, so a correctly-implemented TLS-terminating proxy should not require changes to work in a TLS-1.3-capable ecosystem. It can simply speak TLS 1.2 at both client <-> proxy and proxy <-> server TLS connections. That these products broke is an indication of defects in their TLS implementations.

It's understandable that I've never heard of BlueCoat: clearly this product's success is based more on selling to executives than on quality, and it has been some time since I worked in an organization that had executives to sell to.

◧◩◪
3. semi-e+yl[view] [source] 2017-02-28 06:22:36
>>jessau+d2
There was a paper posted on HN a few weeks back by some pretty serious security researchers on the security risks of SSL MITM boxes.

https://jhalderm.com/pub/papers/interception-ndss17.pdf

How do you fix this when you're naught but a humble employee? Well, a friend of mine worked at a fairly large tech company where a salesguy for these boxes had convinced the CTO they had to have them. Every tech-person "on the floor" hated the idea, so before the boxes were installed they conspired on their free time to write some scripts that ran lots of legitimate HTTPS traffic, effectively DDOSing the boxes and bringing the company's internet to a crawl for the day, like Google would take ten seconds to open. Then obviously everyone (including the non-tech people) started calling the IT helpdesk complaining that the internet was broken. MITM box salesguy then had to come up with a revised solution, costing 20x more than his first offer, and that was the end of that.

If you already are suffering under MITM boxes, a similar strategy with a slow ramp-up in traffic might work.

◧◩◪◨
4. cm2187+ht[view] [source] 2017-02-28 08:18:07
>>semi-e+yl
Yeah. This is a firable offense. The solution to your company MITM your traffic is not to use your work computer for anything personal that matters. It's not like if we had a shortage of devices to connect to the internet.
◧◩◪◨⬒
5. jessau+fN[view] [source] 2017-02-28 13:06:34
>>cm2187+ht
When I mentioned on a mailing list that we should probably pronounce this like "expect your personal bank info to be pwned" rather than "please don't use work resources for personal purposes", I was reminded that there are lots of perfectly reasonable work-related purposes that are undermined by TLS MitM. Corporate bank accounts, ACH transactions, payroll, vendor accounts, tax portals, employee benefits/401k, etc. All of that stuff should actually be secure.

Incidentally, "Blue Coat ProxySG 6642" was the only middlebox to get an "A" from the study referenced above. Apparently they didn't test for 1.3...

◧◩◪◨⬒⬓
6. daxelr+Ri1[view] [source] 2017-02-28 17:17:19
>>jessau+fN
How are any of the things you listed undermined by corporate MitM?

Everything you listed is information that the company already has access to. Why isn't it sufficient for there to be access controls by policy, the same way the company protects other sensitive information from unauthorized acres within the company?

◧◩◪◨⬒⬓⬔
7. jessau+zx1[view] [source] 2017-02-28 18:30:29
>>daxelr+Ri1
Keep up man! Upthread [0], reference was made to a study that's recently made the rounds detailing the basic insecurity of MitM devices. The problem isn't only that corporate network admins see everything, it's also that after the device downgrades TLS (or worse) attackers can also see what they want...

[0] https://news.ycombinator.com/item?id=13751715

[go to top]