I run a lab inwhich I let a lot of computers, as well as networked "IoT" devices, phonehome, and then I use enterprise-level tools to decrypt and capture that TLS/SSL network traffic. In the past year, I've been observing a steady increase in the number of devices and services which flat-out refuse to let medecrypt their communications - an unequivocally Good Thing for privacy andsecurity. But I've also witnessed some disastrous problems, such as largecorporations, who should know better, behaving badly, using self-signedor expired certificates for critical sites used to, for instance, deliver firmware updates.
In this overview, I'll discuss the good, bad, and really, really ugly things I've learned about what, how, and to whom these devices communicate, and in some cases, the contents of those communications. I'll also provide an overview of the tools and techniques I've used to re-sign certificates and capture the decrypted data, including how (and why) you can (and probably should) do this yourself. Finally, I plan to offer my own manifesto to businesses large and small about how they should do a much better job at protecting the privacy of their customers.