undefined | Better HN

0 pointsxyzzy1239y ago0 comments

I agree with you -- it depends on your threat model.

If state actors or universal mitm or coffee shop attacks are primary threats then loss of private key is a very bad outcome for SSL offload. And this is what SSL is meant to help woth.

For many (more?) sites though, the issue was loss of session plaintext (e.g api creds, basic auth creds, pii or credit cards). For a lot of applications where just hitting the webserver remotely is a lot easier than MITM, this was actually the more severe problem.

0 comments

mentat9y ago

I have nation states as part of my threat model so stealing keys enables passive and active monitoring vs popping a box and getting some limited subset of connections intercepted.

j / k navigate · click thread line to collapse

0 pointsxyzzy1239y ago0 comments

I agree with you -- it depends on your threat model.

If state actors or universal mitm or coffee shop attacks are primary threats then loss of private key is a very bad outcome for SSL offload. And this is what SSL is meant to help woth.

0 comments

mentat9y ago

I have nation states as part of my threat model so stealing keys enables passive and active monitoring vs popping a box and getting some limited subset of connections intercepted.

j / k navigate · click thread line to collapse