undefined | Better HN

0 pointsnobody99994y ago0 comments

> Many big companies have what is basically a MITM attack on SSL. They resign everything between you and the network endpoint using an enterprise certificate. It's still encrypted but at some point it's decrypted, inspected, and then re-encrypted. It's mostly seamless but sometimes you have to get a copy of the certificate to add it to things like pip.

Yes. And this is a good thing (in an enterprise environment) for a couple of reasons (a few others too, but these should make the point):

   Proxying connections is inherently more secure
   than packet filtering/stateful inspection;

   As was pointed out in another comment[0], most 
   traffic is encrypted these days.  Any traffic 
   traversing the enterprise network needs to be 
   visible (unencrypted) to network administrators.  

   This allows them to identify, investigate and, 
   potentially, block suspicious traffic.

Any large organization (or even smaller ones with the need and the resources) should be able to decrypt and read every packet traversing their internal network and the ingress/egress points to/from that network.

That requires ubiquitous use of proxies for all connections that have an external endpoint.

It's likely that some sensitive internal networks/servers/applications should do so as well.

While that's very intrusive, it's not your home network, nor is it (semi-)public wifi. It's the wholly owned property (I'm not addressing "cloud-based" resources here -- that's a different long discussion) of that organization.

As such, they have every right to read every packet on their network and every byte on their storage.

Which is why many organizations have "guest" networks which not only has no access to internal resources, but also only allows connections to external networks and bypasses all the proxies/firewalls as well.

This allows employees, contractors and others to maintain their privacy on their own devices without impacting the security of the internal network.

Of course, this requires device authentication at the network layer (e.g., 802.1x) to ensure that only authorized devices are permitted access to the internal network.

None of the above is particularly new or particularly controversial.

[0] https://news.ycombinator.com/item?id=30574794

Proxying connections is inherently more secure than packet filtering/stateful inspection; As was pointed out in another comment[0], most traffic is encrypted these days. Any traffic traversing the enterprise network needs to be visible (unencrypted) to network administrators. This allows them to identify, investigate and, potentially, block suspicious traffic.

0 comments

4 comments · 2 top-level

rapjr94y ago· 2 in thread

> As was pointed out in another comment[0], most traffic is encrypted these days. Any traffic traversing the enterprise network needs to be visible (unencrypted) to network administrators.

Defense in depth means the network administrators do not get access to everything because if -they- are compromised then everything is compromised. So you should have multiple admins with limited power over their own subnets and turning off encryption should be like getting a warrant from a judge. This helps prevents stalking also. Network administrators are a centralized primary vulnerability that needs to be mitigated.

nobody9999OP4y ago

>Defense in depth means the network administrators do not get access to everything because if -they- are compromised then everything is compromised. So you should have multiple admins with limited power over their own subnets and turning off encryption should be like getting a warrant from a judge. This helps prevents stalking also. Network administrators are a centralized primary vulnerability that needs to be mitigated.

A reasonable point. There certainly need to be policies and controls around who can access decrypted network traffic, as well as under what circumstances access to such traffic should be granted.

However, that doesn't mean the capability to do so shouldn't be there.

That said, good policies/controls can significantly mitigate the risks you addressed. Those can (and should) include separation of duties, clearly defined roles and granular access controls.

What's more, you need to hire honest, decent people. Fortunately, most folks are.

If one or more of your employees violates policy (and potentially the law) and exfiltrates corporate data/information, depending on severity, that employee(s) should be disciplined, fired and/or prosecuted.

And "turning off encryption" isn't anything to which I described, or even alluded. Rather, I discussed using proxies to mediate connections between internal and external sides of encrypted (and unencrypted ones for that matter). connections is good security practice.

>turning off encryption should be like getting a warrant from a judge.

That's a ridiculous statement on its face.

Organizations (and by extension, those designated by the organization to do so) have the legal right to examine all data that traverses their networks. Full stop.

Edit: Correct awkward phrasing.

rapjr94y ago

>Organizations (and by extension, those designated by the organization to do so) have the legal right to examine all data that traverses their networks. Full stop.

I didn't say it should require going to an actual judge, I intended to say that digging into packets should require approval and the approval should not be given easily (maybe a "break glass" system). I do think that companies legal right to view all data on the network may change in the near future, especially in the USA if it ever gets decent privacy laws, and in the UK. Businesses may also move away from it because it could be a source of liability. It's rather like the rethinking going on around collecting more data than needed from customers rather than the minimum; the extra data becomes something the police can demand, that can be subpoenaed, that the company is liable for if stolen or modified or otherwise compromised, and that the company may be required to maintain the accuracy of. It also seems like examining decrypted network traffic to manage the network would only be necessary for some types of data, not all data. There can be internal company liabilities also, if an admin has carte blanche to look at lots of data and some crucial proprietary company data is leaked to the outside, just having had the potential for access makes the admin a suspect, innocent or not. Minimizing access and limiting the types of data which can be viewed to what is necessary seems logical, again with a break glass mechanism for unusual situations. It's mainly a historical artifact that network administrators have had such power and in many cases it is way more powerful than is actually needed. Hiring honest decent people is always good, but they can be blackmailed or simply ordered by the company to do unethical things, or ordered to grant access to someone who will do unethical things.

1 more reply

dhx4y ago

The MITM proxy architecture creates a central system (or systems) with privileged in-band[1] access to all clear text traffic of the organisation. This central system would have an enormous attack surface because of the millions of lines of code[2] required to handle the TLS protocol, parse protocol messages, etc.

The MITM proxy architecture also introduces an extreme risk of exposing one of the most sensitive private keys of the organisation (trusted by all computers of the organisation) in the event the MITM proxy system is compromised.

I'm more inclined to consider the MITM proxy architecture as an anti-pattern as it undermines proper isolation between systems on the network and undermines the concept of perfect forward secrecy.

[1] (meaning: directly in the flow of data such that the data can be manipulated by an attacker)

[2] By example, OpenSSL consists of 0.7 million lines of code per https://www.openhub.net/p/openssl/analyses/latest/languages_... and Wireshark consists of 4.5 million lines of code per https://www.openhub.net/p/wireshark/analyses/latest/language...

j / k navigate · click thread line to collapse