[cryptography] trustwave admits issuing corporate mitm certs
maillists at krassi.biz
Sun Feb 12 22:13:32 EST 2012
I agree, I'm just reflecting on the reality... :(
On Sun, Feb 12, 2012 at 6:52 PM, Nico Williams <nico at cryptonector.com> wrote:
> On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov
> <maillists at krassi.biz> wrote:
>> Sorry, tough questions only... no answers :)
> Not really tough. A good policy is: don't allow personal use of the
> corporate network. No gmail. No yahoo. No employee-owned devices.
> No shopping. No nothing. Allow HTTPS only to white-listed sites
> (e.g., vendor software update services, a github or a sourceforge, if
> the company uses open source projects, and so on).
> Ten years ago that might have sounded draconian. Twenty-five years
> ago such a policy would have been unthinkable (user-owned network
> devices? Internet access? what are those things?). But now we have
> 3G and 4G everywhere. Employees can be connected to the Internet
> without going through their employers' networks. So why not apply
> such a policy? I think it's the best approach. In some cases
> employees may not be allowed even personal devices connected using
> public 3G/4G networks (think of sensitive military / research sites),
> and that would hardly be the end of the world.
More information about the cryptography