[chelmzy]

Its typically used for detecting malware, detecting data loss prevention, or forensics. "Drive by crap like port scanning for sshd" isn't even relevant to why companies mitm SSL. And yes I see it detect but not stop active threats on a daily basis.

[dcow]

These tools typically claim to block or catch stupidly high number of threats per unit time. And they usually bucket the drive-by stuff as a threat to achieve this narrative. I agree it’s hogwash.

So you’re essentially admitting that these TLS boxes are more about controlling employees and “data loss prevention” than actually preventing real threats and doing honest security. Got it.

https://honest.security

[unethical_ban]

>I agree it’s hogwash.

I think the parent commenter was pointing out that "MITM TLS box" has nothing to do with sshd scans. Not that MITM TLS boxes have no use.

Oh, and #4 on that "tenets of honest security" is an opinion not shared by all.

In the modern era of guest wifi and ubiquitous personal mobile devices, personal use on a work machine is not necessary or advisable. That said, in most places it is common to *not* decrypt websites related to health and government and banking.

Everything is about liability and protection of company data.

[dcow]

You know what I mean, the TLS middleware is part of your IDS suite. Anyway.

Personal use was not the norm. Locking machines down was. VPNs, corporate network perimeters, blocking copy paste (my god), TLS middleware boxes. It all sucks. And inspecting internet traffic is a breach of human rights among adults.

Then we grew out of it. Now we have identity perimeters. Strong identity and yubi keys, webauthn, SSO. Honest.security reflects how people operate today. Modern IT stacks operated by ethical teams don’t do traffic inspection.

We agree, TLS inspection is about control, not security. And that’s why it’s unethical.

“No personal use” also just doesn't work, ideologically. Gotta access your bank for payroll, financial stuff for 401k, RSUs. HR portal has to be accessible on the personal side too for taxes healthcare and emergencies. Been there done that move on.

I will concede that there are isolated highly security sensitive situations where full device control is needed like maybe for the employees or machines with access to a CA or production deployment keys or classified information with human loss of life at stake. But the no personal use mantra is not a blanket philosophy that’s healthy or good for modern society and isn’t relevant in 99.99% of use cases.

You can even look at MDMs which have shifted from full device control to hybrid support.