←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 6 comments | 10 Dec 25 07:06 UTC | HN request time: 0.001s | source | bottom
Show context
samuel ◴[10 Dec 25 09:31 UTC] No.46215799[source]
I agree with the sentiment, but I think it's a pretty naive view of the issue. Companies will want all info they can in case some of their workers does something illegal-inappropiate to deflect the blame. That's a much more palpable risk than "local CA certificates being compromised or something like that.

And some of the arguments are just very easily dismissed. You don't want your employer to see you medical records? Why were you browsing them during work hours and using your employers' device in the first place?

replies(3): >>46215855 #>>46216169 #>>46216703 #
itopaloglu83 ◴[10 Dec 25 10:28 UTC] No.46216169[source]
I’m all for privacy of individuals, but work network is not a public internet either.

A solution is required to limit the network to work related activities and also inspect server communications for unusual patterns.

In one example someone’s phone was using the work WiFi to “accidentally” stream 20 GB of Netflix a day.

replies(1): >>46216814 #
sceptic123 ◴[10 Dec 25 12:09 UTC] No.46216814[source]
What's the security risk of someone streaming Netflix?

There are better ways to ensure people are getting their work done that don't involve spying on them in the name of "security".

replies(2): >>46217226 #>>46218211 #
treesknees ◴[10 Dec 25 13:04 UTC] No.46217226[source]
Security takes many forms, including Availability.

Having branch offices with 100 Mbps (or less!) Internet connections is still common. I’ve worked tickets where the root cause of network problems such as dropped calls ended up being due to bandwidth constraints. Get enough users streaming Spotify and Netflix and it can get in the way of legitimate business needs.

Sure, there’s shaping/qos rules and dns blocking. But the point is that some networks are no place for personal consumption. If an employer wants to use a MITM box to enforce that, so be it.

replies(1): >>46217505 #
1. sceptic123 ◴[10 Dec 25 13:32 UTC] No.46217505[source]
I think that's a very loose interpretation of Availability in the CIA triad.

This looks a lot like using the MITM hammer to crack every nut.

If this is an actual concern, why not deny personal devices access to the network? Why not restrict the applications that can run on company devices? Or provide a separate connection for personal devices/browsing/streaming?

Why not treat them like people and actually talk to them about the potential impacts. Give people personal responsibility for what they do at work.

replies(2): >>46218274 #>>46231878 #
2. itopaloglu83 ◴[10 Dec 25 14:47 UTC] No.46218274[source]
Yes, but also it’s not an employer’s job to provide entertainment during work hours on a factory floor where there are machines that can kill you if you’re not careful.

There’s a famous fable where everyone is questioning the theft victim about what they should’ve done and the victim says “doesn’t the thief deserve some words about not stealing?”

Similarly, it’s a corporate network designed and controlled for work purposes. Connecting your personal devices or doing personal work on work devices is already not allowed per policy, but people still do it, so I don’t blame network admins for blocking such connections.

replies(1): >>46227464 #
3. lisbbb ◴[11 Dec 25 03:55 UTC] No.46227464[source]
I agree with all you said, but it's not like it is well advertised by the companies--they should come right out and say "we MITM TLS" but they don't. It's all behind the scenes smoke and mirrors.
replies(1): >>46230076 #
4. itopaloglu83 ◴[11 Dec 25 11:27 UTC] No.46230076{3}[source]
I agree, that’s a bad business practice.

Normally no personal device have the firewall root certs installed, so they just experience network issues from time to time, and dns queries and client hello packets are used for understanding network traffic.

However, with recent privacy focused enhancements, which I love by the way because it protects us from ISP and other, we (as in everybody) need a way to monitor and allow only certain connections in the work network. How? I don’t know, it’s an open question.

5. treesknees ◴[11 Dec 25 14:34 UTC] No.46231878[source]
It’s not at all a loose interpretation.

Availability: Ensures that information and systems are accessible and operational when needed by authorized users

replies(1): >>46244398 #
6. sceptic123 ◴[12 Dec 25 14:23 UTC] No.46244398[source]
I would still say that is loose — are connection issues caused by staff using streaming services generally considered to be DoS?

And on balance I'd say losing Integrity is a bad trade off to make here.