1. SSL does not 100% help against surveillance – what pages your browser requested is still visible to your ISP and the NSA. (so called „meta data“ is very valuable data – a lot of other in formations can be generated out of „meta data“ – without actually knowing the content of the communication)
    • tor browser bundle should do a better job at this – using a series of anonymization proxies to hide the origin-ip…. but attempts are also made to identify users on exit-nodes. (your screen resolution is one of such factors that can be extracted by websites and MIGHT HELP to identify you and your internet-traffic-meta-data 😀 therefore tor browser bundle says „leave the window in default size“ – it is not illegal – so why don’t you use it? ;))
  2. SSL is of course also a threat to any virus-scanning firewall – if the firewall can not decrypt the content – it can not scan for viruses in your mail-attachments and so on…
    • this is how symantec and microsoft tackle the problem:
      • basically they do a kind of man-in-the-middle „attack“.
      • this is how i imagine it to work:
      • whenever the browser requests a SSL certificate (public-key) from webserver – the appliance exchanges it with it’s own SSL certificate – of course the end-user will probably be displayed a warning „SSL certificate not for this domain“ – at the same time the appliance shows the user „be warned! we monitor content (! meta anyway) of this traffic!“
      • Visibility into Encrypted Traffic
        The ProxySG has an SSL Proxy that allows for visibility into SSL traffic, so the ProxySG can securely send attachments
        and content for inspection services.
      • Encrypted Tap, a licensable feature, builds on the SSL Proxy capabilities to send a stream of decrypted content to third-party systems for additional analysis, archiving, and forensics.
      • Together, they eliminate SSL blind spots, giving you complete visibility and control over SSL-encrypted traffic to stop rogue applications, malware and cyberattacks from using SSL to hide their activities.
      • SSL Proxy terminates and re-establishes SSL connections and allows the ProxySG to securely send attachments and content for inspection services.
      • Stops information leakage over SSL links through scanning of encrypted traffic for sensitive information

        src: https://www.bluecoat.com/documents/download/55f7a80d-67cd-4994-bba5-09a2baa48226/dde5fa1c-66d2-42af-81fb-a211d7c9b491

  3. Netronome’s SSL appliances delivers SSL decryption in networks ranging from 100 Mbps to 10 Gbps full duplex, giving you visibility into SSL traffic while it’s running across your network. Equally important, Netronome lets you take advantage of sophisticated analytics by providing inspection capabilities at scale. It provides up to four data feeds to a wide range of in-network security applications, such as intrusion prevention, intrusion detection, sandboxing and forensics, which can then analyze the data for threats or data breaches

Links:

Let’s Encrypt needs your donation – according to this video their operation consumes 200.000USD each month: https://youtu.be/SmOWzKLTODA

http://www.zdnet.com/article/how-the-nsa-and-your-boss-can-intercept-and-break-ssl/

admin