←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 1 comments | 10 Dec 25 07:06 UTC | HN request time: 0s | source
Show context
NicolaiS ◴[10 Dec 25 09:37 UTC] No.46215825[source]
Got acquired by a Fortune 500 and recieved new laptop. First hour I'm seeing TLS errors everywhere except the browser. They'd half-baked their internal CA rollout, so wasn't trusted properly.

By day two I started validating their setup. The CA literally had a typo in the company name, not a great sign.

A quick check with badssl.com showed that any self-signed(!) cert was being transparently MITM'ed and re-signed by their trusted corporate cert. Took them 40 days to fix it.

Another fun side-effect of this is that devs will just turned off TLS verification, so their codebase is full of `curl -k`, `verify_mode = VERIFY_NONE`, `ServerCertificateValidationCallback = () => true`, ... Exactly the thing you want to see at a big fintech company /s

replies(1): >>46227640 #
1. lisbbb ◴[11 Dec 25 04:23 UTC] No.46227640[source]
I've experienced similar. It has definitely made me less enthusiastic about working for any of those fools ever again. It's all just an exercise in mediocrity. The illiterate emails people send out are even worse--I swear that a lot of US born adults are functionally illiterate.