To inspect or not to inspect, that is the question.
TLS 1.3 is by far the most secure version of the Transport Layer Security (TLS) protocol, but its use of ephemeral elliptic curve keys–and the deprecation of static RSA keys–means that TLS sessions now offer forward secrecy, a bane to enterprise security administrators who want to maintain visibility into their network traffic.
So, what’s the better security strategy? Deploy TLS 1.3 middleboxes to maintain visibility, thus creating new secure weaknesses, or let it slide and focus on endpoint threat detection and mitigation instead?
“Enterprise network sites often decide to decrypt encrypted traffic at a network proxy, allowing the network admin to scrutinize, log or block the traffic in question. But should enterprise network administrators do this? [emphasis his]” Kurt Andersen, a member of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) Board of Directors, tells CSO, speaking in his capacity as a M3AAWG board member.
There are good arguments for doing so and good arguments for not doing so. Since every organization has a different threat model, you can’t offer a black/white, yes/no answer. Here are some considerations to help make a decision on TLS 1.3 interception in an enterprise environment.
