←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 3 comments | 10 Dec 25 07:06 UTC | HN request time: 0s | source
1. apexalpha ◴[10 Dec 25 09:44 UTC] No.46215871[source]
I largely agree with the author. When our SOC wanted to implement TLS inspection I blocked it. Mostly because we not nearly at the security level for this, but also because it just fucks with so many things.

That said, we are not a business dealing with highly sensitive data or legal responsibilities surrounding data loss prevention.

If you are a business like that, say a bank or a hospital, you want to be able to block patient / customer data leaving your systems. You can do this by setting up a regex for a known format like patient numbers or bank account numbers.

This requires TLS inspection obviously.

Though this makes it harder to steal this data, not impossible.

It does however allow the C-suite to say they did everything they could to prevent it.

replies(1): >>46215910 #
2. apexalpha ◴[10 Dec 25 09:49 UTC] No.46215910[source]
Oh and the software (Netskope) was only able to decrypt our traffic in the cloud.

Lmao not in a million fucking years will I upload our data to an American company in fucking plaintext.

replies(1): >>46216039 #
3. dcminter ◴[10 Dec 25 10:08 UTC] No.46216039[source]
Netskope and the other DLP tools at my last gig would completely lock up my network connection for around 30 seconds every hour or two while maxing out 100% of a core. Fun times. The issue was still there a year after I first encountered it so I have grave doubts about the competence of those vendors.

On the other hand I am sympathetic to the needs of big regulated orgs to show they're doing something to avoid data loss. It's a painful situation.