On Sat, Sep 27, 2025 at 1:35 AM Samuel Sieb <[email protected]> wrote: > > On 9/26/25 9:54 PM, Marco Moock wrote: > > Am 27.09.2025 um 01:10:23 Uhr schrieb olivares33561 via users: > > > >> I work in a school and now the network will not connect anywhere > >> anymore. The certificate install is needed. Don't know some say it > >> is a firewall type of deal. > > > > There are firewalls that do TLS interception. > > That is a man in the middle attack by your site to your connection, > > they can read and manipulate all your traffic. > > That is terrible and breaks all security. You can't trust any sites if > you do that.
In the browser security model, interception is a valid use case for Dataloss Prevention (DLP) programs. That includes use of TLS interception proxies. The browsers use tortured logic to arrive at "interception is a valid use case". They hang it off of the W3C's Design Principles and Priorities of Constituencies. The browser's argument goes as such: if a user did not want to be intercepted, then the CA certificate used for interception would not be present in the certificate store. Since the proxy's interception certificate is present in the store, the user wants to be intercepted. (You can't make this shit up). A corollary to "interception is a valid use case" is, webapps can never be sure they have a secure channel. Therefore, webapps can only handle low value data. Higher value data should be handled by hybrid and native apps. Jeff -- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
