The US government has basically declared "HTTPS/TLS Interception Considered Harmful". This is going to be interesting as all the major security load blanacer/appliances out there offer this as a standard service at this point.
US-CERT has very little influence, even in regulated industries. As usual, CERT is saying something formally that has been axiomatic among practitioners for many years. The only conclusion I'd draw from this is about CERT.
Obviously: what they're saying is broadly true. I also agree with the other commenters here who are pointing out that this is largely a response to endpoint TLS interception, and that the point is to focus attention on tools that intercept but don't validate certificates --- CERT is not telling every Fortune 500 company and every federal agency to stop deploying BlueCoat boxes.
But the more important thing to push back on in your comment is the notion that a proclamation from CERT has any real meaning. It doesn't, even within FedGov IT.
I don't think that's the correct interpretation of this document. A better title would be "Most TLS Proxies Considered Harmful", not TLS interception as a whole.
US-CERT is explicitly calling out that many appliances and applications often are weakening security vs. the common TLS clients, by way of not properly validating certificate chains by proxy for the client and otherwise masking SSL/TLS issues from being surfaced to the end user.
I believe this is CERT trying to get software companies to get their act together on solving security-detrimental UX/UI issues vs. a blanket statement not to add TLS interception proxies to a corporate network.
> I don't think that's the correct interpretation of this document. A better title would be "Most TLS Proxies Considered Harmful", not TLS interception as a whole.
This is the usual reaction to this I see everywhere. It doesn't match with reality. Read the complete paper by Halderman et al [1].
It says pretty clearly that all existing products lower the security in one way or another: "Our grading scale focuses on the security of the TLS handshake and does not account for the additional HTTPS validation checks present in many browsers, such as HSTS, HPKP, OneCRL/CRLSets, certificate transparency validation, and OCSP must-staple. None of the products we tested supported these features."
TLS Interception that doesn't degrade security is a myth that exists only in some parallel world fantasy. It's also not very surprising. Browser vendors have extremely qualified security teams that are involved in many ways in the development of stronger TLS protections. Nothing like that can be said about any of the vendors of interception products.
Is better TLS interception actually possible? Is it just that it's usually badly implemented, or is it a fundamental weakening?
Other than the unavoidable weakening of having another system seeing the unencrypted data, which is inherent in using one of these systems and can never go away.
> Is better TLS interception actually possible? Is it just that it's usually badly implemented, or is it a fundamental weakening?
In theory, yes, apart from the obvious "more attack surface" problem. They could check for HPKP, CRLset, CT. They could even do more. (CT checking is very basic in Chrome and nonexistent in other browsers.)
However in reality? No. In the real world Bluecoat manages to break TLS 1.3 deployment, although its designers tried everything to avoid that and they have been asked by Google to test that.
As far as I can tell this is targetted at what I would expect: "antivirus" and compliance tools built into firewalls, not reverse proxies built into load balancers.
I strongly disagree: who is in control, how it is implemented, and the purpose of the product are all both extremely important and fundamentally different between the two use cases. An "antivirus" filter ends up implemented as a man-in-the-middle attack between software I wrote and servers I contract and control, wherein protections that were actively put in place are stripped away in order to increase the attack surface. A reverse proxy is something that I actively implemented as part of my infrastructure, and I am contracting for it and paying for it like anything else I rent.
It became "extra cool" to hate on reverse proxies recently while everyone hates CloudFlare (and to be clear: I've hated CloudFlare since before it was cool to hate on CloudFlare, and you should check my comment and submission history to verify if you don't believe ;P), but what people are essentially complaining about are "it encourages you to do something insecure", which I think is actually largely true only of CloudFlare, and you have to remember that the vast majority of developers who are using CloudFlare are doing so because they don't know much about network administration.
But like, think about it this way: Apache is also an SSL termination point. The code in your website is likely 99% "transform a URL into SQL, then transform the result into HTML": it is just a dumb encoder/decoder, and pretty exactly analogous to an SSL termination point. If you really believe in true end-to-end encryption, then having this webserver in the middle is a bad idea: you should route requests directly to database servers and ensure that at no point does any non-database computer have a decrypted copy of the information that will eventually be rendered to the user.
Another thing to think about: if you are heavily concerned that the CDN or reverse proxy service you are using has access to your traffic, realize that they are no different than using a hosted server. We don't even need to invoke "the cloud" for this one: unless I built the machine myself, I have no way of knowing that the server I am renting to run my database server on isn't running under a hypervisor that is allowing dumps of my decrypted memory. A reverse proxy is just another piece of rented infrastructure that someone else is in control of, and I don't see many people (though if you are, that's great, and then I'd be really happy ;P) insisting that everyone build their own computers and host them at their office, to make sure decrypted data never touches a computer owned and operated by someone else.
The risk profile is also just so fundamentally different, in no small part due to these differences of "who is in control and how is it implemented". Let's say that CDNetworks is failing to check SSL certificates correctly: how exactly are you going to attack that against my website? I mean, sure: if you are a state-level actor, that is going to be easy, but otherwise, that's going to be extremely rough. An "antivirus" filter that, as described in this alert, is failing to correctly check SSL certificates... well, that opens you up to attack by amateur attackers that are "close to you", such as a stalker or an ex-spouse or a corporate competitor. You can't just claim "well, if I abstract away all of the details, they look the same"... you have to look at why you care and verify that you didn't strip away anything required and relevant.
You seem to think whoever opts into adding it to the pipeline makes the difference (client vs server). It doesn't. Consider that a client in a remove location can build in a caching load balancer into their pipeline that you wouldn't realize is present that is built with exactly the same software you would put into your pipeline.
Both clients and servers can have TLS terminating things in the chains that perform arbitrary functions. All of them increase attack surfaces and risks of implementation bugs.
> If you really believe in true end-to-end encryption, then having this webserver in the middle is a bad idea: you should route requests directly to database servers and ensure that at no point does any non-database computer have a decrypted copy of the information that will eventually be rendered to the user.
I can't say I haven't considered abusing PL/pgSQL to that point... ;)
>An "antivirus" filter ends up implemented as a man-in-the-middle attack between software I wrote and servers I contract and control, wherein protections that were actively put in place are stripped away in order to increase the attack surface. A reverse proxy is something that I actively implemented as part of my infrastructure, and I am contracting for it and paying for it like anything else I rent.
Those can equally happen the other way around. You might put an antivirus filter in place on your own network. Your hosting provider might set up their own reverse proxy.
> But like, think about it this way: Apache is also an SSL termination point. The code in your website is likely 99% "transform a URL into SQL, then transform the result into HTML": it is just a dumb encoder/decoder, and pretty exactly analogous to an SSL termination point. If you really believe in true end-to-end encryption, then having this webserver in the middle is a bad idea: you should route requests directly to database servers and ensure that at no point does any non-database computer have a decrypted copy of the information that will eventually be rendered to the user.
I agree with that - best to have the database and the web server on the same server, communicating via local socket or shared memory. Better still to compile the web layer and the data layer into the same unikernel. Current best practice (e.g. PCI-DSS) seems to accept having an (encrypted) network connection between distinct web and database servers, but only within a single physically secured rack. You're right that if you do the same thing with a load balancer (have it in the same physically secured rack as your web servers, encrypt connections between it and them) then it's no less secure, but I don't think people would want to be using a load balancer within a single rack anyway, since most of the point of a load balancer is availability and you want separate racks for that. Certainly a third-party reverse-proxy is a substantial weakening of security.
> I don't see many people (though if you are, that's great, and then I'd be really happy ;P) insisting that everyone build their own computers and host them at their office, to make sure decrypted data never touches a computer owned and operated by someone else.
I wouldn't go that far - AIUI PCI-DSS etc. require you have physically secured/access-controlled servers but allow you to rent space/power/cooling from a datacenter operator (though they don't get access to your rack, and possibly have to also be audited themselves).
> Let's say that CDNetworks is failing to check SSL certificates correctly: how exactly are you going to attack that against my website? I mean, sure: if you are a state-level actor, that is going to be easy, but otherwise, that's going to be extremely rough. An "antivirus" filter that, as described in this alert, is failing to correctly check SSL certificates... well, that opens you up to attack by amateur attackers that are "close to you", such as a stalker or an ex-spouse or a corporate competitor.
It's a different risk profile to be sure. Are you more worried about someone making a large-scale attack against the remote service you were connecting to, or just against the Internet in general? Or someone making a small-scale local attack? I think both can be serious; it's not just state-level actors but also large criminal rings or even political groups that would potentially have the resources to execute an attack against a particular service (e.g. a medical provider doing something politically contentious, or just anything that accepts credit cards / personal information).
When running on the same machine, reverse TLS-terminating proxy isn't different from built-in TLS implementation, except for done in "microservice-like" way.
Most certainly, there's no difference whatsoever (or almost so, if the reverse proxy is "smart" and has some application logic in it) if your webapp doesn't speak HTTP natively, but talks FastCGI/uWSGI/SCGI protocols instead. Which is quite common.
I mean, the actual interface (passing buffer pointers in the local process or passing same data via local UNIX sockets) shouldn't matter much, right? As long as interfaces have similar security properties and all the necessary data is passed around properly. A sufficiently privileged user can introspect both (with ltrace or tcpdump), and insufficiently privileged one can't do anything anyway.
Yes, it's possible. The crypto bits the host is sending are different from the crypto bits the client is receiving. There are several ways to compare those, despite what the MITM box is doing. Out of band channels, timing, and order of data can be used.
I sometimes refer to HTTPS Everywhere as "Security Theater Everywhere". Before the mania for HTTPS, many sites only used HTTPS only for crucial transactions such as logins and credit cards. Those were infrequent enough that they didn't have to go through a CDN. Now, with HTTPS Everywhere, there's no distinction between the stuff that has to be hidden from observers, and the stuff which only needs something like Subresource Integrity to make sure it hasn't been messed with. So now the secure channel over which credit card numbers and logins are passed is exposed at the CDN.
It's not safe to do only logins over HTTPS because if the initial site is served over HTTP, an attacker could rewrite the URL or inject JavaScript to leak your password.
Also, once you're signed in, every request sends a cookie which is also valuable to steal as it's an active session.
Every request needs to be encrypted. We haven't made TLS worse by deploying it everywhere.
There is a larger number of threads we are opposing. I want everything over HTTPS because that how I know its actually the site that I wanted.
How many more cases do we need where some stupid ISP or middleware puts ads into other peoples webpage. Not to mention that those ads might also be a security problem.
Privacy is another issue that HTTPS Everywhere at least helps considerably. The NSA literally tcpdumps the internet and uses sophisticated tools to analyse it. I prefer to have a internet that makes it hard for the NSA and company.
We have MITM detection in the browser. It's called certificate validation.
Browser certificate validation hasn't been as simple as "check CA signature" for close to a decade, and even a decade ago you could configure your browser to trust only certain CAs, or, through the certificate exception manager, only certain specific certificates.
Most of the usual client-side JavaScript crypto caveats apply: Of course, all bets are off if the man in the middle is also a man in your device. You should give up any expectations of privacy in this case.
In that case even if you MITM it - all the bad guy gets is encrypted (AES) data. Whitebox does sound a bit like black magic, but it's widely deployed (over 5 billion devices for Irdeto's) and add a nice layer to ensure that you're actually talking to the end users browser, and it's your code that's running on it.
Snake-oil. If I MITM, I'll just add my own code that copies the plain-text to my server, I don't need to break any encryption. It's nothing more than an obfuscation layer.
We did think of that :) - we can detect your tampering with the forms we protect. But that said it doesn't stop everything if you can install a keylogger, or get the user to enter data somewhere else we can't stop it and it does depend on where in the user journey you try and protect things, as someone else here has pointed out if any of the journey is HTTP (or HTTPS being MITM) then they can send the user somewhere else.
However I'd also argue you don't actually need to stop people grabbing the data. Noticing achieves a large chunk of that, as (for example) I can notify the credit card system it's happened.
Frankly, regarding MITM, that paper is just nonsense. How can it "ensure contents of a message are secure on the 'wire', by encrypting with a secondary scheme between the JavaScript client and the server", when you can't even guarantee that the signing and encryption code isn't tampered with in-flight?
And you can't guarantee that you can notify either, and for the same reason. The code that leaves your server won't be the code that actually runs on the client - it'll be a mutated version that will say "everything is OK" and acts normally to your server while it sends all the data somewhere else.
Nothing has changed since [1] was written; I don't see how that is anything but DRM promising more than it can deliver.
I am confused, initially you said "you can prevent MITM" now you say "doesnt stop everything...(HTTPS being MITM)". So your claim is that your product can or can not prevent MITM?
It can prevent MITM IF it's loaded in client page (defining MITM as network interception).
It can't stop keyloggers, people looking over your shoulder, malware in the browser (MITB)/plugins as it still sits within the browser sandbox. It can in some cases detect that, and in some cases hinder it.
An attacker can stop it loading by MITM the connection, but then the site can't work against it's APIs as the solution also verifies as data goes into those API's the encryption is present and the code isn't tampered. If it's tampered a business rule is applied to decide what to do, either stop the messages, OR pass it back to risk management systems (very common in finance).
You can still do the exact same thing: have a specific (sub)domain for those crucial transactions, while the main domain gets served by the CDN.
Alternatively, and in my opinion better, is to have a (sub)domain for static assets, served from the CDN, and keep the main one free from man-in-the-middle.
Then those organizations using MITM boxes will install a patch or special modified browser on their members' computers instead of installing a certificate. What's the difference? They still control the computer and can bypass whatever security it has.
A while back I remember seeing on HN there was a issue with a certain vendor and ChromeBooks because Chrome used a newer TLS(And the mitm vendor vendor was noticed in advance too, and didn't update their product).
I wonder how schools and banks plan to react to this... Apparently financial firms have to record everything their employees do for some regulations.
To me, schools doing this sort of thing is wrong. I wouldn't be surprised if the principle would grab people's passwords and login to their accounts even. I know some schools even went as far to demand students hand over their passwords to social media when they report bullying... Which if the school blocks social networks anyways, I don't see how it's a school issue for what happens outside of school...
If this sort of thing really needs to be done, at-least people should be warned and aware they are being monitored. If it's for a bank and it's only company equipment everything is being monitored it seems a bit more okay to do if everyone is well aware. "You are only to use work computers for official business." sort of policy.
> financial firms have to record everything their employees do for some regulations
Phone calls, emails, instant messages and other forms of client contact, yes. Internet browsing history? No. Rest assured, many firms do this. But it's because they decided to, not because of regulation.
Why isn't it enough to do the tracking/audit log in the server side? I can't imagine even the JP Morgan Chase CEO lives under surveillance of JP Morgan Chase Bank 24/7. Just require them to use centralized services and keep audit log of that? Sounds simple enough. I don't get the need to monitor all traffic. Surely the sensitive servers have audit log independent of network?
Yeah, https://news.ycombinator.com/item?id=13750379 is the original thread. I don't know that school personally, just talking in general I don't think I'd trust school admins with that level of access.
So how do I test if my workplace is doing a good job of this? The article mentions badssl.com. Do I just click all the red links in the certificate section and verify that my browser is refusing to display the pages?
You want to do that both on your intercepted LAN and with a direct connection and compare the results. If they both give the same results you can be happy your MitM proxy is at least treating insecure sites equivalently. You still lose the advantage that you browser will tell you why the site is insecure
I'm currently fighting a battle in a company in the middle of rolling out Blue Coat ProxySG. I only became aware of it because it began causing interruptions to our work since none of the development tools get the necessary root cert to validate the certs that the proxy is rewriting. The root cert is only installed into the Windows credentials to make browsers work and it's left up to every client to fix whatever other problems they have.
One of the common arguments I've encountered from people is along the lines of "if the company trusts the security people, then I trust the security people". However this ignores the fact that the company has legally enforceable agreements in the form od employment contracts, NDAs, and what-have-you that protect the company against a breach of that trust.
But what kind of protection do you have as an individual if, for what ever reason, one of the security people decides to single you out while they have unsupervised access to you social media logins, personal email and credit cards numbers and financial details (and lets face the fact that everyone does all of these things to some degree on a work computer).
The answer is that you more than likely have no protection at all (likely not even in workplace law). Even if you suspected someone had inappropriately accessed your personal details, the company almost certainly has an IT policy saying that you shouldn't be using your computer for personal use. You're screwed.
However these inspection boxes drastically change the situation to what it was before, because most people outside the IT department won't even know about this drastic change in capability. And likely they try hard not to think about until (if) they discover something has happened. I'm sure everyone here is aware of the abuses of NSA employees spying on their wifes, or ex-es [0]. Such is human nature.
Sadly I suspect that all these arguments will do little to change the situation. It seems more likely that the companies who deploy these systems are only going to listen to arguments specifically about how it is increasing work, causing delays of deliveries and affecting project costs.
> The answer is that you more than likely have no protection at
> all (likely not even in workplace law). Even if you suspected
> someone had inappropriately accessed your personal details,
> the company almost certainly has an IT policy saying that you
> shouldn't be using your computer for personal use.
The answer is to stop ignoring the policy. Reserve the corporate device for work activities. Use personal devices for personal things and consider the corporate network to be hostile -- use a VPN.
This is exactly what my company went through just a few months ago when we hired an IT security guy whose first order of business was setting up a Palo Alto Networks firewall. Before turning on the MITM functionality he gave a presentation to everyone about what it did, and nobody (support staff, developers, administrators, management...nobody) seemed to mind except for me.
This was what I sent to the HR lead immediately after the meeting:
I remember a while back we all signed some document regarding data security here. I don't remember what that document said specifically -- did it mention at all the possibility that all of our network traffic could be monitored? I ask because, while [new security guy] claims that with the new firewall "No data is stored or made available for other purposes," the fact is that it absolutely can be viewed and stored, and we as the end users have no way to verify whether it is or not. On Palo Alto Network's own website there are comments from other users of our firewall asking how to disable packet inspection in the logs because, "I can also see users passwords in some cases".
I understand and agree with the necessity of setting up a firewall that can inspect encrypted traffic. However, I also understand that this means everything we do or send on the office internet can be inspected by presumably anyone with access to the firewall's back end (including personal passwords and anything usually thought of as "secure"). I'm not sure how clear this is to some (or most) of the employees here. If the agreements that we signed don't reflect this, I think they should be updated and re-agreed to.
[some back and forth ensued, where she reminded me of a line in the agreement that does say we can be monitored at any time]
That may be fine then. All I know is that I heard some concern over being able to go to facebook and whatnot, which seemed to be relieved when we were told it would still work. I just don't know whether or not people realize that while they can still go to facebook, theoretically anything they say or do on it, including all of their login information, chats, and posts marked to be shown only to friends can (though not necessarily will) be viewed by the company as well.
I could be making a bigger deal out of this than it needs to be, I just tend to take online privacy matters pretty seriously. Assurances that the data will be treated responsibly (not viewed or cached) are all well and good, but at least for me, aren't good enough. I won't be going to any personal websites on the network here at all.
But it's far worse than that. Look further down in the thread where a security guy has pre-emptively invoked the "acceptable use" policy to cover for up for incompetence to secure the MITM proxy appropriately.
Acceptable use policies are not self-enforcing, they are really only used selectively, regardless if they say you shouldn't use your computer for personal use. Everybody does that to some degree and it is accepted in reality as long as it's within certain limits.
If the policy was self-enforcing then half the internet would be blocked, but of course companies don't do that because no one wants to work in that environment.
If you're watching porn or torrented movies, you'll either get a warning or fired, but the company will do nothing if you make an online payment.
But what happens if the proxy gets hacked and the attacker gets hold of your banking/personal logins/data? Who is most likely to discover the hack? Probably the same security guys who are managing the proxy. Will the security guys do the right thing and inform management that a hack occurred? Will the company also then do the right thing and inform all their employees that a hack occurred and now you might be missing some money? Will the company choose to hide behind the “acceptable use” policy to absolve itself from liability and say that it was you doing the wrong thing and stuck with the costs of your actions?
At each layer beginning at the individual working in the security team, to the whole security team, to the company management team, to everyone working at the company, that the incentives are aligned to cover up such an incident rather than reveal it.
The TLS inspection proxy is a bad system and worse still it’s a dangerous system in the hands of people who are not capable of providing and unbiased assessment of the risks they are exposing themselves and everyone else to, not to mention the company. It’s more than just financial risk, it’s the moral-hazard kinds of risk that really concern me because of the lack of transparency/understanding of its roll out, the incentives to cover up when something bad happens, and the lack of legal protections afterwards.
I very much agree with all of these points, which is why, as I told my HR rep, I won't use any personal websites on the work network at all since the HTTPS interception was turned on. It's been a gigantic pain in the ass doing things like checking my bank statements or whatever on my phone only, but I live with it. The only non strictly work related site I go to is this one, with this throwaway account/random password.
On the topic of liability and owning up to a potential hack, I think my company would be transparent about it, based on a history of being transparent about many atypical things in the past. We're not public, never received any VC funding, and nobody has any equity stake in the company except for the owner, who himself goes over the entire company's income statement in front of all the employees once per year to let us know where all the money's coming from/going to. I do believe he would do whatever he could to make it right, because the buck stops with him and him alone.
Clearly that's only a small comfort if our personal information is leaked, but I don't think in my case it would be covered up. I could certainly see that being the case in most corporate structures, though.
TLS MITM devices also break required components of TLS, such as TLS client certificates. If you want to have TLS sessions with mutual authentication it can't go through the MITM.
A way forward might be to start requiring TLS client certificates for business products. :-)
For us, we use TLS client certificate authentication to authenticate almost all our users so any TLS MITM breaks that and is unacceptable. This is really common and tens of millions of people use TLS client certificates this way everyday -- mostly with client certificates on smartcards.
And the answer is going to be custom unspecified encryption inside the encrypted channel.
HTTPS mitm proxying is a dumb idea that can't work right but is easy to sell to executives. It will be defeated until we're at the state of a few years ago, where the products that really matter, like banking, have tough security and the rest has less.
I understand that few vendors may be doing it (I know one which does at least the first 2). Probably the worst offense is choosing the weakest TLS version + cipher to save resources, like using TLS 1.0 because it take less resources to decode/encode than TLS 1.2 + elliptic curve.
> Probably the worst offense is choosing the weakest TLS version + cipher to save resources, like using TLS 1.0 because it take less resources to decode/encode than TLS 1.2 + elliptic curve.
This isn't true. It takes less resources to use ECC. Vendors use TLS 1.0 because they use outdated software they haven't updated in ages.
On the other hand, a MITM proxy can also do upgrade "attacks"(?!), communicating with remote servers over the Internet using a stronger protocol than the clients on the LAN behind it support.
In fact it seems to me that having the validation happening in one place may potentially be easier to maintain than across many different clients' software.
You're assuming people on the LAN can upgrade to recent browsers. A lot of them are stuck on Windows XP. I realize that's a "you have bigger problems" type of scenario, but you also have to play the hand you're dealt.
If an organisation has a large number of networked computers on Windows XP they are going to have more issues than that - having no SNI support is one.
But you see the Host header after the TLS handshake, after the certificate was sent. The poitn of SNI is to indicate the host header during the TLS handshake so that you get the right certificate. HTTP with the host header is one layer up. Again, this is for transparent proxy where no CONNECT is being sent.
Do you have any links to how the errors are passed through to the client? Do you mean that they imitate the incoming certificate exactly or send the information by some other method?
One important reason to do ssl inspection is to detect the exfiltration of corporate data, particularly if your organisation is likely to be attacked by governments or sophisticated crime gangs.
I know my organisation do SSL inspection, but they have whitelisted common personal websites like internet banking to protect the privacy of staff.
As far as I'm concerned, if your risk profile requires you to do SSL inspection then this is the right way to do it.
- PKI is a little more tricky, as there's no single standard that defines it, though to get basic idea of what are certificates read RFC 5280 (https://tools.ietf.org/html/rfc5280).
Sure, you can dig as deep as you want, but these resources should give you a good starting point.
I think the take away is that your mitm box will eventually screw up, and you will be liable for whatever results, from brokenness (e.g. the 40,000 chromebooks going offline) to complete disclosure of company-breaking information.
Exactly my idea, but after reading the article I'm severely disappointed that the whole practice isn't declared bad. Instead it only points out that some mitm boxes are even more broken than I though possible and mess up cert validation.
It's a terrible practice, the article doesn't even go into some other things like how easy is it to actually break into the intercepting software and steal the private cert so you can mitm the network for free!
and I'm a dev at one of these companies!
We really didn't want to add the feature but we were bleeding customer's who for some reason had to have it.
( Yes, we do validate the certificates )
We decided to bite the bullet when it looked like even Google was "supporting" being mitmed as a customer pointed out.
It might weaken TLS, but it also stops the 3000 head of cattle I managed from being able to watch porn (6 incidents) and torrent movies (47 copyright notices). If their internet banking, which they're not supposed to be doing at work, gets compromised then I really couldn't care less.
You don't need HTTPS interception to block sites. Passive observation of the negotiation is sufficient for most purposes, much simpler, and much less risky.
This makes me feel nostalgic for the custom IT job I did at this oil-patch vendor a while back. They had a failing Win2k server and a SonicWall residential-class router "securing" their business. I replaced it with a linux based firewall and a linux based file/app server.
We basically had to protect the executive network/fileserver from outside and inside threats, keep porn/facebook/twitter off the production floor, and the rest was my design to streamline development/production operations. I've never had so much fun writing iptables rules. It's probably swiss cheese by today's security standards and known vulnerabilities, but it was hot stuff in 2008. :)
I guess I cared an awful lot about users of my infrastructure. Now people consumer my relational schemas but I still care.
1. Snooping on their internet banking is ILLEGAL for you to do and puts YOU in hot water. You realize you could be put out of business by lawsuits right?
That would defeat the whole point of a proxy, if I can't see what they're doing and report on people who are doing the wrong thing (according to their employment contract), then why bother?
"The whole point of a proxy" isn't to spy on people, even if that's the only reason you use it.
For instance, you could block lots of crap with the proxy, thus increasing your organizations security. Does your need to spy on employees watching porn outweigh the potential benefit of not having to deal with porn viruses?
You could also use the proxy to cache pages, so that your thousands of users don't waste bandwidth downloading the same pages over and over again. You can do this without harming your ability to spy on people.
That's one way to see it. In my experience, those proxies in schools are a great way to motivate students to self-educate about how the internet works and about online privacy tools like TOR...
