On Mon, Jun 1, 2015 at 12:56 PM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On Mon 2015-06-01 07:36:01 -0400, Krzysztof Kwiatkowski wrote: > >> Yes, that's exactly what we do in our configuration. We have 24 servers >> with rather high workload. SSL is offloaded on F5 load balancer and >> servers behind load balancers receive decrypted traffic. >> >> I'm not aware of any performance issues. And in fact it's quite good >> idea as server itself doesn't need to know anything about TLS/SSL >> protocol. > > ... And the network connecting the load balancers to the backend > servers is completely physically secured, has no untrusted devices > connected to it anywhere, and all the backend servers completely trust > each other to avoid snooping or interfering with each others' traffic > ... right?
+1. I've seen financial institutions use T1 or T3 framing between data centers as the only protection (and not IPSec or TLS). Their thinking was no one could really tap the copper or fibre, so it was not a problem. If someone did tap the it, then the signal could not be used/interpreted without special equipment, so it was not a problem again. I've also seen malware burrow in within the security boundary at financial institutions. The malware was more than happy to leave the databases alone and sniff the traffic to avoid IDS. And the malware will encrypt its outgoing payload on the way to its dead-drop, so the data gets encrypted eventually :) Jeff _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
