"[...] target API Level 24 and above no longer trust user or admin-added CAs for secure connections, [...]"
-
-
what's the solution for enterprise environments here?
3 replies 0 retweets 0 likes -
there's an implicit assumption that "enterprise" needs this. I challenge that.
2 replies 0 retweets 1 like -
Replying to @hanno @Scott_Helme and
Issue is always exfil. They'll just API the remote instead: https://www.paloaltonetworks.com/products/secure-the-cloud/aperture …
2 replies 0 retweets 0 likes -
Replying to @TychoTithonus @hanno and
API into corp Dropbox to do DLP. Non-corp Dropbox accts blocked by PA. No need to intercept.
1 reply 0 retweets 1 like -
Replying to @TychoTithonus @hanno and
Drawback: requires app-aware NGFW, & tight integration between firewall and remote DLP
1 reply 0 retweets 0 likes -
Replying to @TychoTithonus @hanno and
The other half is to whitelist outbound encryption (block all unexpected outbound TLS)
1 reply 0 retweets 0 likes -
Replying to @TychoTithonus @hanno and
The right solution is to block internet entirely from systems with sensitive data.
2 replies 0 retweets 0 likes -
Replying to @RichFelker @TychoTithonus and
Use separate computers for email/web and for assets that need protection.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno and
+1 - good defense in depth. Outbound encryption/obfusc must also be controlled ... somehow.
1 reply 0 retweets 0 likes
It's controlled by not having an outbound. If there's an outbound you already lost.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.