Reply to post: lesser threat

TLS proxies? Nah. Truthfully Less Secure 'n' poxy, say Canadian infosec researchers

Nate Amsden Silver badge

lesser threat

I don't use these appliances(I haven't done corp IT work since 2002) but certainly can understand security folks seeing whatever vulnerabilities they have is less than letting people connect externally to things they can't inspect. I'd wager many companies would even be fine with SSL termination on the proxies and just providing http internally(that is quite common in application load balancing setups anyway, something I have been doing for about 15 years now).

Now it'd certainly be good if these vulnerabilities were fixed - though I don't agree with disabling support for older protocols not without a graceful failure mode of some kind. It drives me insane that browsers and people push to completely disable stuff without any sort of graceful failure mode. I've been saying for years now treat those sites as if they were using self signed certs -- provide a warning, and a way for the user to continue past the warning if they deem the risk is acceptable, or if they just don't care. Because the same level of threat exists with self signed certs as it does with weak(er) encryption. Well I guess technically non trusted certs are much easier to deploy and so a much greater risk than weaker encryption.

But as it stands the things in the article seem to be far less of a threat than if the companies removed the appliances altogether as an example.

I had discussions with one guy who is really good in security who at his previous company didn't allow any outbound communications from the servers to the internet unless it went through a proxy. Which on paper sounds fine but unless your doing SSL interception on that proxy there's still a very wide open door there for stuff to get out that you can't see(in the earlier days at his company it was long before wide spread https adoption). With more and more external services dependent upon large crappy clouds that have wide swaths of IP addresses that change often(without notice) it's not quite practical to try to lock down communications to IPs(at least to ones based in those clouds), and often even more difficult to determine what is on that IP.

Recently had to diagnose a network issue in this situation and fortunately the remote IPs were serving regular https and their ssl certs were specific enough that it allowed me to identify the organization(a provider the company I am with does business with so I recognized it) that was running the service on those ips.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022