SSL offloading - when is the end not the end
Michael Farnum has an excellent article up over on ComputerWorld today about SSL offloading. Michael makes an excellent point that with so many devices decrypting SSL traffic before its intended "end", if that information is then compromised, someone has some 'splaining to do. A reader comments that he does not consider it to serious a problem, that SSL was to ensure end to end encryption and they just replaced the end.
Reading this article brought back flashes of when McAfee Intruvert first started touting their ability to decrypt and inspect SSL traffic. They would decrypt at the IPS (often at the gateway) and then send it in the clear to its destination. I thought it was a bad idea then and I think it is a bad idea now. SSL was intended to encrypt end to end. When you hijack the end and then send that data in the clear you are defeating the whole purpose of using it in the first place. I understand the need to inspect this traffic, but decrypting this traffic before its "end" is not a acceptable answer for me and is too much of a risk. Michael is dead on!
SSL offloading / accelerating / load-balancing is scary - Computerworld Blogs
Comments