Preventing good security practice
My biggest grievance with SSL / TLS proxies is they prevent good security practice on the client. Fundamentally, the end user is the person in the best position to make an assessment of how secure a particular session needs to be. Whilst I might be completely OK with accepting a domain validated (even self signed) certificate when reading theregister, I would certainly not be doing my internet banking under such a connection. The fact that browsers by and large hide this information away behind a blanket lock logo and most users will never look any deeper, doesn’t mean it’s OK to remove this information entirely. Lastly, unless I am wildly underestimating their capability, this proxying (man-in-the-middling) completely breaks certificate pinning on the client, something that generally seems a good thing to encourage.
Biting the hand that feeds IT
