[Discuss] Discuss Digest, Vol 88, Issue 10
Dale R. Worley
worley at alum.mit.edu
Thu Sep 20 21:57:56 EDT 2018
From: Bill Ricker <bill.n1vux at gmail.com>
>> The downside of this latter approach is that the IT org can then sign
>> certs for *ANY* other site and therefore intercept all HTTPS traffic
>> they wish to see.
>
> If the IT / SEC group is competent to do the one, they're probably already
> doing the other!
>
> (And possibly consider themselves legally required to, to prevent
> exfiltration of sensitive data -- HIPAA, SARBOX, ...)
It's a known thing ... you can buy hardware accelerators that terminate
HTTPS connections from clients and dynamically generate certs for any
host name.
Dale
More information about the Discuss
mailing list