On Sat, Sep 27, 2025 at 12:48 PM Barry <[email protected]> wrote: > > > On 27 Sep 2025, at 06:36, Samuel Sieb <[email protected]> wrote: > > > > That is terrible and breaks all security. You can't trust any sites if you > > do that. > > It’s a fact of life that it is one of the few reliable ways to detect malware > and prevent data leaks is to intercept the TLS data. > To do that you need a man-in-the-middle proxy. You are given the companies CA > that you install in the clients > so that you can trust the certs created by the proxy. > If you trust the security company then you can trust the CA. > > I used to work on such a product, it is a valid solution for many > enterprises, and it works very well in practice.
Until it does not. Take Blue Coat, for example. The company is US based and offers a TLS Interception proxy. The product was purchased by despot regimes around the world to spy on its citizens. We can only speculate what happened next, but I suspect it included torture and death for some individuals. This is the problem with backdoors. Both the good guys can use them, and the bad guys. I present the problem this way: how does one differentiate between a "good" bad guy and a "bad" bad guy? The answer is, you can't. When you encounter someone breaking your secure channel, you stop using it for your comms. You find a different method to communicate. I eat my own dogfood. I carry a mini laptop with a mobile 5G hotspot. If I can't get a secure channel using a corporate laptop, then I startup my mini laptop with the hotpot. That is not illegal (yet?) in the US. Jeff -- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
