On Mon, 2012-02-13 at 12:42 -0600, Nico Williams wrote: > On Mon, Feb 13, 2012 at 12:32 PM, Phillip Hallam-Baker <[email protected]> > wrote: > > Presumably the next step the companies providing this facility will > > take is to offer their own browser with the capability built in. It is > > no good jumping up and down saying people should not make such > > devices. The choice we have is whether to do the job right or let them > > do it without any input. > > > > > > What I find wrong with the MITM proxies is that they offer a > > completely transparent mechanism. The user is not notified that they > > are being logged. I think that is a broken approach because the whole > > point of accountability controls is that people behave differently > > when they know they are being watched.
> Not all spy-on-your-employees solutions are bad, thus the fact that > alternatives will arise does not necessarily bother me. Only those > that can be used against users who are not informed or have no way to > avoid the MITM (employees can always... not use employer networks for > personal use). Think of people in Iran, Syria, ... With an ability to define how to interpret various security / trust sources/inputs at the host operating system level, this is an already solved issue. The managed corporate computer environment need only have a policy activated which trusts the MITM-CA, and modulo application implementations (including browsers), it is a matter of GUI/HMI how to display the SSL-connection to the MITM device versus other input sources, should they be active in the policy. If users can see they are using a more trusted environment at home then at their MITM:ing work place, all the better? /M
signature.asc
Description: This is a digitally signed message part
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
