Comment by MrDarcy

Comment by MrDarcy a day ago

3 replies

View on Hacker News

There aren’t many situations where expecting everyone to explain everything in every detail is correct, but there are some.

Many of those situations where it is OK are down at the foundational level of the internet itself, which is what linode and Drew DeVault were concerned with back in the day.

An example today I’m wrestling with is TLS interception (valid) vs protecting against TLS man in the middle attacks. It’s tough to get people to see it’s an either or situation, they truly are mutually exclusive.

Unless, we walk together through every painstaking detail to reach the necessary conclusion together.

zdw a day ago

The TLS issue mentioned can be more easily conceptualized if you view the root CA lists as "The people you're OK with MITM-ing you".

And then whether your trust in the browser vendor coalition to push back against and punish even accidental CA malfeasance are reasonable.

Reply View 1 reply
  • MrDarcy 18 hours ago

    The crux of the issue is reasonable people can disagree on what is OK at a large org.

    Security, like every human, believes they’re the good guys.

    Platform teams cannot enforce the principle of least privilege.

    Truly a paradox.

    Reply View 0 replies
computerfriend a day ago

I feel like I've been in the same position as you. I ended up not being able to convince those who mattered so I left. Hope you have better luck!

Reply View 0 replies