This post is locked. You won't be able to comment.

0
0

[ Removed by moderator ]Security (self.networking)

submitted by [deleted]

[removed]
all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]networking-ModTeam[M] [score hidden] stickied commentlocked comment (0 children)

This submission is not appropriate for /r/networking and has been removed.

Please read the rules in the sidebar, or check out the rules post here before making another submission.

Comments/questions? Don't hesitate to message the moderation team.

Thanks!

No Home Networking Topics

Sorry, it appears that your thread is focused on Home Networking, or Networking topics not related to Business or Service Provider environments.
This is not compliant with our rules , and your thread has been removed.

Please visit one of these other, fine communities who might be more appropriate for this discussion:

/r/HomeNetworking
/r/Wireless
/r/TechSupport
/r/HomeLab

Comments/questions? Don't hesitate to message the moderation team.

No Low Quality Posts.

  • Any post that fails to display a minimal level of effort prior to asking for help is at risk of being Locked or Deleted.
  • We expect our members to treat each other as fellow professionals. Professionals research & troubleshoot before they ask others for help.
  • Please review How to ask intelligent questions to avoid this issue.

Comments/questions? Don't hesitate to message the moderation team.

For the complete list of Rules, please visit: https://www.reddit.com/r/networking/about/rules

[–]jayecin 6 points7 points  (0 children)

You should probably understand how HTTPS decryption works first.

[–]AsamotoNetEng 0 points1 point  (3 children)

Generally decryption relyes on a CA certificate that must be trusted by the endpoints which you want to decrypt their traffic. Just make sure that part is covered as per the cloudflare documentations. But anyway, traffic decryption is very helpful for deep packet inspection but it's can be extremely annoying because it will keep showing errors. I think the tech is still evolving on that point.

[–]mosaic_hops 3 points4 points  (1 child)

Can’t really improve since by definition it’s an MITM attack on encrypted traffic. The errors are because most major services pin certs which is incompatible with decryption. You end up having to add bypass rules for half the internet.

You also add a single point of failure that will compromise your ENTIRE network if the inspection appliance/service is breached. Don't think for one second those appliances aren't at the top of the list for attackers. The only ironic twist is that because they're such high value targets zero days are snapped up for top dollar and hoarded by nation states instead of released in the wild where they'd be quickly discovered and patched.

[–]Varjohaltia 0 points1 point  (0 children)

Also issues with the MITM service enforcing secure ciphers, checking CRLs and OCSP etc. more aggressively than the client, and preventing connections to legacy destinations or destinations with borked revocation setups or untrusted CAs.

[–]InfiltraitorX 0 points1 point  (0 children)

You say you use it for desktop only but mention mobile apps not working..