I recently seen a post about someone deploying SSL Decryption/DPI and a couple of issues they had with certain applications not working. As the person posting did not seem to be of the network/security side and more end user side I made a comment about ensuring that certain sensitive websites were not being decrypted (banks mostly).
I was surprised to be called out that this was not a good idea, that if you're doing SSL Decryption it should be an all or nothing approach and users don't get privacy.
My understanding is that if you're doing SSL Decryption/DPI you could potentially see things like credit card details and bank account details. This would pose quite a security risk and surely then require those companies to ensure access to and storage of that data is appropriate?
Is my understanding correct? and also if you are doing SSL decryption/DPI are you decrypting everything?
No comments:
Post a Comment