On Tue, Jan 20, 2015 at 5:23 AM, Tim Franklin wrote:
> I'd still very much *want* the organization to tell the users
> that the internal IT people are breaking their SSL, so
> please not to have any expectation that security is doing
> what you think it is.
Blame it on the browser devs. They tell
> By the way, I hope that all of the people who have been ranting about
> this have read this note. The only way this filtering works is if the
> client computers have a special CA cert installed into their browsers.
> That means it's a private organizational network that manages all its
> client
On Sun, Jan 18, 2015 at 4:29 AM, Grant Ridder
wrote:
> It looks like Websense might do decryption (
> http://community.websense.com/forums/t/3146.aspx) while Covenant Eyes
> does some sort of session hijack to redirect to non-ssl (atleast for
> Google) (https://twitter.com/CovenantEyes/status/45
>We use Fortinet firewalls and SSL (HTTPS, FTPS, IMAPS, POP3S, SMTPS,
>SSH) inspection is a standard feature. It works by rolling out a custom
>CA certificate from the device to all of the desktops and whenever you
>hit a SSL site, a cert signed with the CA is generated and presented to
>the u
In article <54bcc924.1000...@cox.net> you write:
>On 1/18/2015 12:55, John R. Levine wrote:
>> There are also ISPs that provide intrusive filtering as a feature. I
>> wouldn't use one, but I know people who do, typically members of
>> conservative religious groups.
>
>Can you provide credible evid
On 1/18/2015 12:55, John R. Levine wrote:
There are also ISPs that provide intrusive filtering as a feature. I
wouldn't use one, but I know people who do, typically members of
conservative religious groups.
Can you provide credible evidence to support "typically members of
> conservative relig
On 1/18/2015 12:41, Teleric Team wrote:
Honestly, don't do this. Neither option.You can still have some
control over SSL access with ordinary domain based filtering getting
proxied, via CONNECT method or sorta. You don't need filtering
capabilities over full POST/DELETE/UPDATE HTTP methods, and i
On Sun, Jan 18, 2015 at 08:05:18PM +, Kelly Setzer wrote:
> I don't know if you're referring to HSTS.
No, HSTS is separate to certificate pinning. Certificate pinning would, in
fact, cause Chrome to freak out in the presence of an HTTPS-intercepting
proxy, but that's what it's supposed to do.
chris writes:
> I have been going through something very interesting recently that relates
> to this. We have a customer who google is flagging for "abusive" search
> behavior. Because google now forces all search traffic to be SSL, it has
> made attempting to track down the supposed "bad traffic
I don't know if you're referring to HSTS. If not, it's worth noting in
this thread. As I understand HSTS, session decryption is still possible
on sites that send the 'Strict-Transport-Security' header. See:
https://tools.ietf.org/html/rfc6797
I suspect it's only a matter of time before browsers
I expect your users would fire you when they found you'd blocked access to
Google.
And they would sue you for gross negligence for decrypting their ssn when
access company payroll and cpni data
May I suggest that playing Junior Lawyer on nanog rarely turns out well.
These filter boxes are ty
Honestly, don't do this. Neither option.You can still have some control over
SSL access with ordinary domain based filtering getting proxied, via CONNECT
method or sorta. You don't need filtering capabilities over full
POST/DELETE/UPDATE HTTP methods, and if you believe you need it, you just hav
On 18 Jan 2015 18:15:09 -, "John Levine" said:
> I expect your users would fire you when they found you'd blocked
> access to Google.
Doesn't goog do certificate pinning anyways, at least in their web
browser?
pgphGF6ZqCQVo.pgp
Description: PGP signature
On Sunday, January 18, 2015, John Levine wrote:
> >> So your idea is to block every HTTPS website?
> >From my point of view, it is better than violate user privacy & safety.
> >
> >Sneaky is evil.
>
> I expect your users would fire you when they found you'd blocked access to
> Google.
>
>
And the
>> So your idea is to block every HTTPS website?
>From my point of view, it is better than violate user privacy & safety.
>
>Sneaky is evil.
I expect your users would fire you when they found you'd blocked access to
Google.
>>> These boxes that violate end to end encryption are a great place for
On Sunday, January 18, 2015, Ammar Zuberi wrote:
> So your idea is to block every HTTPS website?
>
>
My idea is to provide secure internet and tell the truth about it.
Proxying And mitm SSL/TLS is telling a lie to the end user and exposing
them and the proxying organization to a great deal of l
On Sun, Jan 18, 2015 at 7:29 AM, Grant Ridder wrote:
> I wanted to see what opinions and thoughts were out there. What software,
> appliances, or services are being used to monitor web traffic for
> "inappropriate" content on the SSL side of things? personal use?
> enterprise enterprise?
Hi Gra
Hello,
I have been going through something very interesting recently that relates
to this. We have a customer who google is flagging for "abusive" search
behavior. Because google now forces all search traffic to be SSL, it has
made attempting to track down the supposed "bad traffic" extremely
dif
>From my point of view, it is better than violate user privacy & safety.
Sneaky is evil.
On 18/01/2015 15:53, Ammar Zuberi wrote:
> So your idea is to block every HTTPS website?
>
>
>> On 18 Jan 2015, at 6:48 pm, Ca By wrote:
>>
>>> On Sunday, January 18, 2015, Grant Ridder wrote:
>>>
>>> Hi
So your idea is to block every HTTPS website?
> On 18 Jan 2015, at 6:48 pm, Ca By wrote:
>
>> On Sunday, January 18, 2015, Grant Ridder wrote:
>>
>> Hi Everyone,
>>
>> I wanted to see what opinions and thoughts were out there. What software,
>> appliances, or services are being used to moni
On Sunday, January 18, 2015, Grant Ridder wrote:
> Hi Everyone,
>
> I wanted to see what opinions and thoughts were out there. What software,
> appliances, or services are being used to monitor web traffic for
> "inappropriate" content on the SSL side of things? personal use?
> enterprise enter
We use Fortinet firewalls and SSL (HTTPS, FTPS, IMAPS, POP3S, SMTPS,
SSH) inspection is a standard feature. It works by rolling out a custom
CA certificate from the device to all of the desktops and whenever you
hit a SSL site, a cert signed with the CA is generated and presented to
the user.
On Sun, Jan 18, 2015 at 5:29 AM, Grant Ridder
wrote:
> Hi Everyone,
>
> I wanted to see what opinions and thoughts were out there. What software,
> appliances, or services are being used to monitor web traffic for
> "inappropriate" content on the SSL side of things? personal use?
> enterprise e
23 matches
Mail list logo
