[0]https://www.fcc.gov/consumers/guides/childrens-internet-prot...
[1]https://www.fcc.gov/general/universal-service-program-school...
A few days ago there were other issues with this causing Chromium to stop working on *.google.com so it's not just about middle-boxes.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855434
https://bugs.chromium.org/p/chromium/issues/detail?id=693943
This reminds me of firewalls that weaken security by filtering unrecognized HTTP headers: https://news.ycombinator.com/item?id=12655180
> At this point it's worth recalling the Law of the Internet: blame attaches to the last thing that changed.
> There's a lesson in all this: have one joint and keep it well oiled.
> When we try to add a fourth (TLS 1.3) in the next year, we'll have to add back the workaround, no doubt. In summary, this extensibility mechanism hasn't worked well because it's rarely used and that lets bugs thrive.
That wouldn't be a certain Sergey Aleynikov and GS would it? (https://en.wikipedia.org/wiki/Sergey_Aleynikov)
[1] https://en.wikipedia.org/wiki/Blue_Coat_Systems#Use_by_repre...
> This isn't true. The TLS protocol is not a philosophy; [...]
Well, the TLS specification [1] says as the first sentence of the introduction:
"The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications."
I think, if something is "the primary design objective of TLS", it can be said that TLS is designed to do it.
https://jhalderm.com/pub/papers/interception-ndss17.pdf
How do you fix this when you're naught but a humble employee? Well, a friend of mine worked at a fairly large tech company where a salesguy for these boxes had convinced the CTO they had to have them. Every tech-person "on the floor" hated the idea, so before the boxes were installed they conspired on their free time to write some scripts that ran lots of legitimate HTTPS traffic, effectively DDOSing the boxes and bringing the company's internet to a crawl for the day, like Google would take ten seconds to open. Then obviously everyone (including the non-tech people) started calling the IT helpdesk complaining that the internet was broken. MITM box salesguy then had to come up with a revised solution, costing 20x more than his first offer, and that was the end of that.
If you already are suffering under MITM boxes, a similar strategy with a slow ramp-up in traffic might work.
This isn't "failing closed", and this isn't a whitelist. TLS allows you to whitelist to certain versions of the protocol during the initial negotiation at the start of the protocol; that is the opportunity for either end to state what version of the protocol they'd like. It is not permissible in the protocol to close the connection as Blue Coat is doing.
This isn't a downgrade attack, either: both server and client are free to choose their protocol version at the beginning. The client & server will later verify that the actual protocol in use is the one they intended; this is what prevents downgrades.
> Have some god damn ethics
Personal attacks are not allowed on HN. We ban accounts that do this, so please don't do it.
We detached this subthread from https://news.ycombinator.com/item?id=13750650 and marked it off-topic.
AIUI CIPA doesn't require MITM but most schools interpret it that way.
> "Enterprise class Blue Coat’s SSL Visibility Appliance is comprehensive, extensible solution that assures high-security encryption. While other vendors only support a handful of cipher-standards, the SSL Visibility Appliance provides timely and complete standards support, with over 70 cipher suites and key exchanges offered, and growing. Furthermore, unlike competitive offerings, this solution does not “downgrade” cryptography levels and weaken your organization’s security posture, putting it at greater risk. As the SSL/TLS standards evolve, so will the management and enforcement capabilities of the SSL Visibility Appliance."
It's pretty entertaining to read this stack overflow questions about using ssl from 7 years ago: http://stackoverflow.com/questions/2177159/should-all-sites-...
This FindLaw article http://employment.findlaw.com/workplace-privacy/privacy-in-t... agrees that employers have a right to monitor communications from their devices on their networks, especially when this policy has been clearly laid out and agreed to by employees. Expectation of privacy is a major deciding factor in US law.
I'm not sure of the legality of an ISP doing this. I would hope it's illegal, but ISPs are weirdly regulated compared to, say, phone companies.
While unfortunately for TLS client certificates are not a solution against MITM due to their awful user experience and privacy concerns, for SSH public key authentication has a good user experience, and is very common.
