So I just read this Microsoft blog post, albeit from 2018, basically saying that TLS offloading should be avoided. Here's a snippet (it's in the section about Application Gateway):
Prior to 2017, TLS Offload was recommended, however, Microsoft changed its internal security controls requirements for the use of TLS for all connections from recommended to mandatory. Hence TLS Offloading is not the recommended best practice and should be avoided.
Googling around a bit I found some stuff from around 2013 talking about the NSA's 'MUSCULAR' project and how they were snooping on internal traffic at Google (and elsewhere). So maybe this is the reason why?
So I wondered if this is, or is becoming, prevailing opinion? With more power at the server level, is there still the need to offload the processing that TLS requires? And with certificate automation using the likes of Let's Encrypt, is central management not so necessary any more?
No comments:
Post a Comment