A page on enterprise traffic inspection devices
Closed this issue · 1 comments
Enterprise traffic inspection, and how it relates to HTTPS, comes up a lot in a federal context.
In particular, I don't believe it's well understood that the presence of enterprise traffic inspection essentially moves an agency's security boundary from the browsers of its staff to the traffic inspection device(s).
For example, the protections of HSTS, key pinning, and certificate validation itself can all be rendered ineffective in protecting agency staff, unless that agency's enterprise traffic inspection device itself implements support for those protections. This applies to basically any security-relevant feature browsers and other clients implement now or in the future: OCSP stapling (and Must-Staple), Certificate Transparency, SCSV signalling, protocol version support, modern ciphers, etc.
Agencies may also have questions or concerns about the interaction of certificates served by their traffic inspection device with those they deploy to their own websites they operate.
These issues are worth clearly describing on a page on https.cio.gov.
The site likely isn't adding new substantive (and potentially controversial!) pages right now, so closing.