undefined | Better HN

0 pointsamluto2y ago0 comments

If you have a TLS MITM proxy configured and an attacker pwns the proxy, it’s pretty much game over. Forget access to the internal network: any host that has the MITM proxy’s certificate installed will trust it to view and modify all TLS traffic. This gets a free attack on all web origins without even compromising anything else. AWS console, check. Configuration of other corporate appliances, check. Everyone’s communication tools, check. And you get to replace anything downloaded by anything that doesn’t use certificate pinning.

0 comments

1 comments · 1 top-level

p_l2y ago

I'm not saying no.

I'm just saying that not everyone used PAN NGFW for MITM proxying, and it's not necessary to enable/configure that to use them for other tasks.

j / k navigate · click thread line to collapse