[177410] in North American Network Operators' Group
Re: HTTPS redirects to HTTP for monitoring
daemon@ATHENA.MIT.EDU (Ammar Zuberi)
Sun Jan 18 09:53:54 2015
X-Original-To: nanog@nanog.org
From: Ammar Zuberi <ammar@fastreturn.net>
In-Reply-To: <CAD6AjGTzyA2Qr-1YK1LHzQLEnaYNPKFE277HQ=Cq+smAgFBhpA@mail.gmail.com>
Date: Sun, 18 Jan 2015 18:53:41 +0400
To: Ca By <cb.list6@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
So your idea is to block every HTTPS website?
> On 18 Jan 2015, at 6:48 pm, Ca By <cb.list6@gmail.com> wrote:
>
>> On Sunday, January 18, 2015, Grant Ridder <shortdudey123@gmail.com> wrote:
>>
>> Hi Everyone,
>>
>> I wanted to see what opinions and thoughts were out there. What software,
>> appliances, or services are being used to monitor web traffic for
>> "inappropriate" content on the SSL side of things? personal use?
>> enterprise enterprise?
>>
>> It looks like Websense might do decryption (
>> http://community.websense.com/forums/t/3146.aspx) while Covenant Eyes does
>> some sort of session hijack to redirect to non-ssl (atleast for Google) (
>> https://twitter.com/CovenantEyes/status/451382865914105856).
>>
>> Thoughts on having a product that decrypts SSL traffic internally vs one
>> that doesn't allow SSL to start with?
>>
>> -Grant
>
> IMHO, it would be better to just block the service and say the encrypted
> traffic is inconsistent with your policy instead of snooping it and
> exposing sensitive data to your middle box.
>
> These boxes that violate end to end encryption are a great place for
> hackers to steal the bank and identity info of everyone in your company.
>
> That sounds like a lot liablity to put on your shoulders.
>
> CB
