Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have no idea how I might go about arguing with you; it's as if I were to argue "a brief search of the literature suggests that P is definitely NP". Give me something more specific and I'll give you the context behind it; right now, I don't know what you're talking about.

(Sigh). Fiddler pops the browser certificate warning when you use it; it's not breaking TLS.

You must just as productively say "my friend assures me AES is broken; maybe that's what Iran is doing." Just like your competent admin friend, there would be some reason for him to say that; it just wouldn't be relevant.



Well, rephrased, what I am led to believe is that Websense can read HTTPS traffic without sparking a certificate warning.

I don't have details on that, unfortunately.


It is crazy that you're even entertaining the thought that the entire security model of the world wide web has been circumvented by WebSense. I guess they just really know how to keep a secret?


I am a little confused by the disparity between your statements and the statements here:

http://security.stackexchange.com/questions/2914/can-my-comp...

It sounds pretty clear to me that with some work on the adversary's part and lack of checking of the certificate chain, TLS can be subverted.


Websense doesn't break TLS or SSL or PKI. Websense abuses an organizations control over their own workstations to conduct a 'mitm' or 'proxy' of the TLS connection. It does that in a fairly straight forward manner.

Websense is used in organizations that distribute their own root ca key to the workstations behind it. The Websense machine is then given that root ca key and allowed to generate dynamic certs with it, so that a workstation with your organizational CA trusts them, but nobody on the regular inter webs will.

It's a really, really shitty way to do things, and effectively violates the trust of every user on your corporate network, but hey, they signed an agreement.


Thank you for the information.


Yes, if you don't check certificates you can subvert TLS. Also if you key your ciphers with zeroes. Don't do those things.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: