On 12/6/2017 08:17, Cy Schubert wrote: > >> It can be illusory. My last job was as Sec Mgr for a large bank. They >> disabled cert checking on client devices, placed a wildcard cert at the >> internet boundary and captured all https unencrypted. An alternative >> approach to advocate is dnssec. :) > And you just let this happen under your watch?
The reason such is done is that the IT people /have /thought about it and determined that being able to /scan and archive /all traffic going in and out is worth more than the "security" afforded by allowing HTTPS originated beyond their border in. Oh by the way in some lines of business said ability to scan and archive is a matter//of regulatory compliance....... I'm not, by the way, opining on whether this is a correct analysis or not. But I will note for the record that Avast's anti-virus products will, by default, do exactly this sort of intentional interception on IMAP server traffic aimed at port 993 in an attempt to detect trojans and viruses that are attached to email messages. -- Karl Denninger [email protected] <mailto:[email protected]> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
