Hacker News new | ask | show | jobs
by stefan_ 2665 days ago
This was never about TLS. Only a stupid person would go "right, we have to decrypt traffic, we control the clients, lets break the crypto".

Surely your IT department already updates the software on client computers. Time to put on their big boy tech pants and decrypt data where the secrets are, on the clients. Then your industry can stop harassing everyone else for bad crypto.
1 comments
dogma1138 2665 days ago
Decrypting traffic on the client isn’t always possible due to how modern browsers operate.

Decrypting traffic on clients is also much harder due to the multiple types of clients you have and the fact that there is no easy way to MITM every connection the the client.

The security threat model by definition defines clients as untrustworthy hence relying on them for decryption is a flawed approach.

If you are going to be cocky and disrespectful at least be right.

link
stefan_ 2665 days ago
You control the client. There are companies making many many millions patching Excel to do fancier charts, I'm sure whatever vendor you got now desperately trying to steer the consortiums can instead figure out how to hook the crypto library in the one browser you install on clients.

Yeah, it's a hard problem. If you don't know half the things your clients are doing, it's much easier to pretend all the security conscious stuff will be going through TLS and then we break just that. It's also obviously wrong, as we all learned when they started filling USB ports with glue.

The boxes already rely on the client, unless someone signed another CA=yes certificate.

link
dogma1138 2665 days ago
Again you do not trust your clients in this threat model because you can’t.

It’s simple a client makes an external TCP connection if that connection uses TLS the its MITMed on the network level and captured this happens to all connections if the client does not accept the handshake because for example the CA for the MITM box isn’t trusted or the client uses certificate pinning the client can simply refuse to proceed with the connection.

If the connection cannot be captured and inspected for any reason it’s simply terminated and the attempt is logged for future investigation.

There is no reason to break TLS on the client or compromise the browser it’s worse in every way and cannot be trusted.

link
unparagoned 2665 days ago
If this was back in the days I'd everyone running ie maybe. But now they're is less control over clients and their browsers. Mitm is much easier, toy just install a certificate on the browser. Going client side means you need to change and modify every browser and piece of software with internet access. Or install some slow crappy firewall type thing and try and monitor things locally....
link