←back to thread

Stop Breaking TLS

(www.markround.com)
170 points todsacerdoti | 5 comments | 10 Dec 25 07:06 UTC | HN request time: 0.231s | source
1. parliament32 ◴[11 Dec 25 17:49 UTC] No.46234605[source]
The author is complaining a lot about implementation pains without taking a step back and looking at why it exists in the first place.

Say you work at a place that deals with credit cards. You, as a security engineer, have a mandate to stop employees from shipping CC numbers outside the org.

You can educate all you want, you can have scary policies and HR buy-in, you can have all the "Anomaly detection, Zero Trust network architecture, EDR, Netflow analysis" in the world, but exactly zero of those will stop Joe Lunchbox from copy/pasting a block with a CC number in the middle into ChatGPT. You know what will? A TLS-inspecting proxy with some DLP bits and bobs.

It sucks, yes. But it works, and (short of the fool's errand of trying to whitelist every site any employee needs) it's the only thing that works.

And yes, I'm aware PCI DSS has additional requirements for CDEs and whatnot, but really this can apply to anything -- a local government office dealing with SSNs, a school with student ID numbers, a corporation with trade secrets.. these problems exist everywhere, and implementing PCI-like controls is often a bridge too far for unregulated industries.

replies(2): >>46234666 #>>46242827 #
2. dadrian ◴[11 Dec 25 17:55 UTC] No.46234666[source]
That is not true, you can run DLP on an endpoint directly and inside a browser directly (e.g. via an extension or direct integration hooks).

You can also try to stop the situation where the CC numbers are in the clear anywhere in the first place, so that you can't copy/paste them around. What happens if someone writes the CC number down on a piece of paper?

replies(1): >>46234801 #
3. parliament32 ◴[11 Dec 25 18:06 UTC] No.46234801[source]
Endpoint DLP helps but it's not even close to bulletproof. Just for fun, if you have DLP at work, open the integrated browser in VS Code and notice how you can send protected test strings without anything chirping you.

> CC numbers are in the clear anywhere in the first place

Sounds great in theory, until you realize that in a large number of industries the majority of employees need access to protected data to do their jobs. Imagine telling the IRS their employees can't see/use cleartext SSNs.

As for paper / mobile phones / whatever.. you're not wrong, but physical security is typically someone else's job.

replies(1): >>46235064 #
4. dadrian ◴[11 Dec 25 18:28 UTC] No.46235064{3}[source]
Network DLP is also not bulletproof so I'm not sure what the argument is there. These things are all best effort.

> if you have DLP at work, open the integrated browser in VS Code and notice how you can send protected test strings without anything chirping you.

I recognize it's not instrumented, but how are protected strings getting there in the first place?

5. morpheuskafka ◴[12 Dec 25 10:42 UTC] No.46242827[source]
> stop Joe Lunchbox from copy/pasting a block with a CC number in the middle into ChatGPT. You know what will? A TLS-inspecting proxy with some DLP bits and bobs.

If you are sniffing web traffic for anything that looks like a credit card number, won't you just catch every time the employee/company's own card is entered onto a payment page?