Adam Back wrote: > > I am not convinced by the legal arguments, while it is true that companies > doing egress monitoring probably warn their users; the fact that these mitm > proxies cut through SSL even on the users own hardware without warning is > going to violate the privacy expectations of many users even technically > sophisiticated because that is the normal SSL promise. And in some > countries there are rules about such things regardless of employee contracts > relating to reasonable expectation of privacy.
The issue of companies that want to monitor activities of employees is a socio-political problem, not a technical one. In countries with strong civil liberties there are already legal/consitutional protections that make it a criminal offence for employers to monitor the communications of employees. In countries with weak civil liberties, such as in the US, this needs to be addressed at the political level. > > And unfortunately practice of many sites is to host one cert per machine in > their 100+ load balance farm to the point that even people looking for > anomalies are drowned by false positives with cert patrol etc. > > It would really be a lot simpler if sites could stick to one cert per > service even if its hosted on multiple machines. I do wonder if much real > security is gained by putting a separate cert on each load balanced box. That can sometimes be an artifact of the CA's licensing terms for the server certificate and/or of the particular backend software in use, or a result of the software installation options, rather than an explicit desire of the sysadmin. -Martin _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
