zlacker

[parent] [thread] 3 comments
1. jessau+(OP)[view] [source] 2017-02-28 13:06:34
When I mentioned on a mailing list that we should probably pronounce this like "expect your personal bank info to be pwned" rather than "please don't use work resources for personal purposes", I was reminded that there are lots of perfectly reasonable work-related purposes that are undermined by TLS MitM. Corporate bank accounts, ACH transactions, payroll, vendor accounts, tax portals, employee benefits/401k, etc. All of that stuff should actually be secure.

Incidentally, "Blue Coat ProxySG 6642" was the only middlebox to get an "A" from the study referenced above. Apparently they didn't test for 1.3...

replies(2): >>cm2187+P3 >>daxelr+Cv
2. cm2187+P3[view] [source] 2017-02-28 13:47:30
>>jessau+(OP)
Absolutely, but then the right approach is to let the IT dept know that they are running the company into the ground. Often, the IT department or management may be insensitive to that argument (and then you get a Sony Entertainment hack, but then it is well deserved) or they may follow regulations that are beyond their control. But it is a management decision.
3. daxelr+Cv[view] [source] 2017-02-28 17:17:19
>>jessau+(OP)
How are any of the things you listed undermined by corporate MitM?

Everything you listed is information that the company already has access to. Why isn't it sufficient for there to be access controls by policy, the same way the company protects other sensitive information from unauthorized acres within the company?

replies(1): >>jessau+kK
◧◩
4. jessau+kK[view] [source] [discussion] 2017-02-28 18:30:29
>>daxelr+Cv
Keep up man! Upthread [0], reference was made to a study that's recently made the rounds detailing the basic insecurity of MitM devices. The problem isn't only that corporate network admins see everything, it's also that after the device downgrades TLS (or worse) attackers can also see what they want...

[0] https://news.ycombinator.com/item?id=13751715

[go to top]