>> I still can not parse this. Care to explain?
> After the https handshake there is no obligation to use http at all inside the tunnel
It's worse than that, almost no firewalls even force you to do the https handshake, they just allow anything that's on port 443 through, so you can use any protocol at all.
There are a handful of good firewalls (sidewinder being one) and IDS systems that will still watch port 443 traffic and alert you if they see something that doesn't look like https on that port, but if you go that far, you really do need to go further and have a full https mitm proxy/filter
As for the thought that you don't have confidential information on a Internet connected device, do you really think that executives who have all sorts of confidential information on their systems (including a ton of stuff in their e-mail about financial data of the company, plans for the future, etc) are not going to be connected to the Internet at some point?
There are places for isolated networks, but corporate desktops are not one of them.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds