Unfortunately we are living in real (not ideal) world and there are cases where the SSL split is definitely needed or should be considered at least. For example Squid 3.5 coming with new design of SSLBump allowing to do some inspection of the connection prior the real SSLSplit. That gives you possibilities to deeply inspect only traffic which you will recognize as suspicious.
http://wiki.squid-cache.org/Features/SslPeekAndSplice Of course users needs to be properly informed about such technology deployed in the environment. That listing of SW providing https inspection on cert.org is meaningless as all today's antivirus SW providing this feature - which can be disabled of course...like for most of the products listed there. On Fri, Mar 27, 2015 at 1:32 AM, Bob Proulx <b...@proulx.com> wrote: > Michael Graham wrote: > > Reco wrote: > > > Ow. Exactly which kind of consumer-grade hardware comes with SSL bump > > > preinstalled? That's very interesting to me as I like know which > > > hardware to avoid in the future. > > > > It's way more common than you seem to think. CERT recently did a blog > post > > about it and it contains a list of both hardware vendors (like Bloxx and > > bluecoat) as well as commercial and free software. > > > > http://www.cert.org/blogs/certcc/post.cfm?EntryID=221 > > > > Basically if you're selling a web filter or similar security device, you > > let admins bump SSL. > > There are certainly many products that one can buy that do SSL > inspection. No one is saying otherwise. That wasn't the question. > But are any of those commonly used consumer devices? > > If someone walks into Fries or Best Buy and spends less than $100 for > a home firewall router such as a Linksys, Netgear, D-Link then I doubt > it is going to crack open SSL. I doubt they do because doing so would > require additional CAs to be installed on user's tablets and other > systems downstream and that requires too much support and > hand-holding. > > Most users would be immediately confused, would consider the device > broken, would return it without ever knowing that were making the > right decision of avoiding it but without ever understanding the > details. Therefore consumer devices aren't going to go there. > > > Given how easy it is for those same admins to push the fake SSL CAs out > > over active directory group policy it's pretty much transparent to most > > naive users who don't understand the difference between https and http > > never mind trying to explain a MITM proxy with a fake root CA! > > Agreed in the corporate environments. They have control over the > users equipment. They often require and issue employees with company > laptops. For that type of environment they can do anything. > > The warning is clear. Don't use your company laptop for your non-work > anything. It isn't secure. Use your own computer, laptop, tablet, > phone for your banking and anything that needs security. > > Bob >
