undefined | Better HN

0 pointstinus_hn7y ago0 comments

It’s a pipe dream. The webpage or application can easily include its own encryption that can’t be broken by these proxies.

If your stance is ‘no opaque data leaves my network’ your only option is an air gap.

0 comments

acdha7y ago

Engineering is all about making trade-offs (“perfect is the enemy of the good and all”) and security engineering is no different. The same logic could be used to say that you don't need an edge firewall because each client should have one but it's much easier to simplify the baseline.

If nothing else, it would make the remaining traffic stand out more since you wouldn't be spending time auditing normal apps which decode cleanly and it's highly likely that someone trying to circumvent such a system would be required to do things which stand out more than routine usage.

As a simple example, an organization which does that kind of monitoring is unlikely to allow users to install arbitrary applications or visit any site on the web. With a standard setup, someone trying to exfiltrate data could just hit a popular site like Github, Gmail, Dropbox, etc. but if they need to use some custom encryption or steganography code they're either forced to install it somewhere far less common (i.e. more likely to stand out) or installing something locally where client monitoring can report an unusual browser extension or application.

tinus_hnOP7y ago

A cute excuse until one of your popular sites starts to do this. Now it happens to be that Google hates these proxies as they are a popular target for repressive governments, who technically can’t be distinguished from a snooping ‘enterprise’.

The reality is that world kept turning without these proxies and it will keep turning once they are made obsolete.

AndyMcConachie7y ago

It's not a pipe dream if your only goal is to be compliant with a formal rule or regulatory structure that requires it. The reason we need stuff like ETS is really because there are organizations that otherwise could not allow any outbound HTTPS sessions.

There are people who need to check off boxes in order to comply with certain rules. Their security reality is not actually all that important.

Freak_NL7y ago

They control the devices on their side of the firewall, so they can log whatever they want before the data sent enters the encrypted tunnel, and after the data received exits it.

ETS just means they don't have to spend money on replacing their man-in-the-middle monitoring gear with client-local solutions on every workstation and server.

It al seems pretty silly though. Regulators aren't idiots; they know that HTTPS is everywhere now, and that TLS 1.3 means that third parties listening in on connections are going to be thing of the past, so the regulations will change to reflect that.

funkymike7y ago

> ETS just means they don't have to spend money on replacing their man-in-the-middle monitoring gear with client-local solutions on every workstation and server.

Doesn't it still require altering the TLS implementation to use the static DH keys instead of following the TLS 1.3 standard of using random keys?

rocqua7y ago

You can ban the use of such applications a lot easier than you can ban HTTPS. This means that simply using those tools is grounds for legal action, which might suffice. Especially if the concern for confidentiality is not for internal reasons, but for legal reasons.

j / k navigate · click thread line to collapse