I wrote the Apple Pay DPAN provisioning message tokenizer at a major financial institution in COBOL. Messages came through the payment network backend (BASE24) and our systems are all mainframes. COBOL will never go away until our major financial institutes are obsolete.
I met with manager to, what I thought was, to discuss the project and I brought up that tokenized PANs were our opportunity to transition off the mainframe and that we missed the boat. It fell of deaf ears because our meeting was actually to discuss how I was being reprimanded for using an SSH connection which the company couldn't perform a MITM attack on. It was at that point I knew I could not advance my career there.
It sounds like they were having trouble doing their job because their corporate IT decided it was more important to intercept all TLS/SSL traffic on the corporate network than to allow software developers to do their job securely.
They weren't MITM attacking people outside the company, just MITM attacking their own employees.
I feel that pain, quite often (and am slowly losing a war on it at my current employer, sigh). TLS/SSL Interception Proxies are scum that make the internet overall less secure for a weird sense of security by corporate IT departments.
As a software developer, it's my job to make sure that no one is MITM attacking me so that the code I download to incorporate into projects is safe and secure. I can't check if a bad actor is MITM attacking me when my own employer is MITM attacking me.
> "It sounds like they were having trouble doing their job because their corporate IT decided it was more important to intercept all TLS/SSL traffic on the corporate network than to allow software developers to do their job securely."
Right, that was what I thought too, this is honestly why I'm turned off from applying to work with more bureaucratic companies (soon to be fresh graduate), I understand the reason for sensitive informations being leaked. But this seriously causes a lot of productivity loss...
I've interned with a small company that needs to SSL into government/companies servers to do work. (I don't do them, just on local company machine for testing etc. Also maybe why they can't let me do live site related stuffs) It'll be a big pain to not be able to SSL remotely and do work.
In large organizations for compliance purposes it is commonplace for the company to MITM all network traffic internally. This ensures that information which is restricted from leaving particular systems or the company doesn't get exfiltrated. It's kind of a braindead practice, but it's what happened in the early days of SSL being disgusting and now that things are nicer we're stuck with it.
We shouldn't be stuck with it. In a large organization they should already have control of the endpoints. They can absolutely get every domain/VPN-joined machine to directly tattle on user traffic without intercepting anything. It's just that Microsoft's tools (or Red Hat's or Apple's) for that are less sexy to IT people and have less interesting names and hardware purchases involved than things like "Electric Eel Secure Firewall" and "NetShark 3000".
It's the Corporate IT equivalent of the security theater that still gets consumers to buy Norton/McAfee/etc products when Windows Defender and Windows Firewall are more than adequate, free, built-in, but "too quiet" and not enough slot-machine like glowing green "Safe" spinners.
It would guess it wanted to be able to snoop on connections that its developers were making to its production systems. Unusual, but not entirely unreasonable.
I met with manager to, what I thought was, to discuss the project and I brought up that tokenized PANs were our opportunity to transition off the mainframe and that we missed the boat. It fell of deaf ears because our meeting was actually to discuss how I was being reprimanded for using an SSH connection which the company couldn't perform a MITM attack on. It was at that point I knew I could not advance my career there.