Re: breaking TLS (Was: Re: multiplexing -- don't do it)

Hi Martin,

On Tue, Apr 03, 2012 at 02:34:06AM +0200, Martin Thomson wrote:
> I suspect that, at the root of all this, is a desperate attempt by
> administrators to retain some sort of control.  The fact is that the
> way that we communicate on the web is vastly more complex than their
> policy engine is capable of managing.  Adding real time communications
> only complicates that further.
> 
> The quick and easy solution to the realtime communications mess is
> blocking UDP.  My guess is that this is what we'll get.  Controlling
> this is going to be quite complex.  That said, with a lot of work, I
> can see how sites might be selectively allowed onto a whitelist.

You know, I have several customers where the only way to look outside is
to pass through a proxy, that's fairly common, especially in companies
which run on non-rfc1918 addresses. At these places, it's very simple :

  - port 80  => URL classification + content inspection
  - port 443 => destination must match a short whitelist of allowed domains
    that are directly related to employees' job

And I'm seeing this becoming more and more common because it's simple and
efficient to apply the web policies that managers want. In fact the first goal
is not to ensure there is no data leak, the first goal is to try to protect
the PCs against malware as much as possible by limiting their access to what
they really need, because infected PCs cost *a lot* to an enterprise by
preventing people from doing their job. Of course there is also the goal to
avoid the temptation of entertainment. If people want to browse unfiltered,
they do it with their smartphones and it's their problem.

Regards,
Willy

Received on Tuesday, 3 April 2012 06:32:21 UTC