undefined | Better HN

0 pointsshawnz6y ago0 comments

Regarding your second point, this change will improve privacy for your clients and make it harder for bad actors to take advantage of your network. So what's not to like? Just because your old tooling won't work anymore doesn't mean that this change is a bad thing for clients.

0 comments

vetinari6y ago

If it improves privacy for the clients, it also improves privacy for the malware, and you won't be able to monitor or be alerted of it.

stirfrykitty6y ago

Most modern firewalls can decrypt/re-encrypt all traffic on the fly. The end user doesn't even notice. I've done this at my last two jobs.

More here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?...

syshum6y ago

That works by Man in the middle attacks of SSL

and Only works on Enterprise Networks for devices owned by the enterprise because the Enterprise Installs their own Root Certs on all devices that "tricks" the browsers into believing they are "google.com" not the real google.com

2 more replies

Murrawhip6y ago

What? The end user does notice if you haven't added the CA to the end user's PC.

JohnFen6y ago

> make it harder for bad actors to take advantage of your network.

How so? It looks to me like it makes it easier for bad actors to take advantage of my network, by making it harder to detect and block DNS lookups.

glennpratt6y ago

You are focused on unsophisticated bad actors if DNS is all it takes to block.

JohnFen6y ago

I don't understand your point. I'm certainly not solely focused on the unsophisticated ones, but those sorts are important too. And they're much more common as they include ad and other trackers.

1 more reply

j / k navigate · click thread line to collapse

0 comments

vetinari6y ago

If it improves privacy for the clients, it also improves privacy for the malware, and you won't be able to monitor or be alerted of it.

stirfrykitty6y ago

Most modern firewalls can decrypt/re-encrypt all traffic on the fly. The end user doesn't even notice. I've done this at my last two jobs.

More here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?...

syshum6y ago

That works by Man in the middle attacks of SSL

2 more replies

Murrawhip6y ago

What? The end user does notice if you haven't added the CA to the end user's PC.

JohnFen6y ago

> make it harder for bad actors to take advantage of your network.

How so? It looks to me like it makes it easier for bad actors to take advantage of my network, by making it harder to detect and block DNS lookups.

glennpratt6y ago

You are focused on unsophisticated bad actors if DNS is all it takes to block.

JohnFen6y ago

I don't understand your point. I'm certainly not solely focused on the unsophisticated ones, but those sorts are important too. And they're much more common as they include ad and other trackers.

1 more reply

j / k navigate · click thread line to collapse