Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is crazy that you're even entertaining the thought that the entire security model of the world wide web has been circumvented by WebSense. I guess they just really know how to keep a secret?


I am a little confused by the disparity between your statements and the statements here:

http://security.stackexchange.com/questions/2914/can-my-comp...

It sounds pretty clear to me that with some work on the adversary's part and lack of checking of the certificate chain, TLS can be subverted.


Websense doesn't break TLS or SSL or PKI. Websense abuses an organizations control over their own workstations to conduct a 'mitm' or 'proxy' of the TLS connection. It does that in a fairly straight forward manner.

Websense is used in organizations that distribute their own root ca key to the workstations behind it. The Websense machine is then given that root ca key and allowed to generate dynamic certs with it, so that a workstation with your organizational CA trusts them, but nobody on the regular inter webs will.

It's a really, really shitty way to do things, and effectively violates the trust of every user on your corporate network, but hey, they signed an agreement.


Thank you for the information.


Yes, if you don't check certificates you can subvert TLS. Also if you key your ciphers with zeroes. Don't do those things.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: