top | item 46215825

(no title)

NicolaiS | 2 months ago

Got acquired by a Fortune 500 and recieved new laptop. First hour I'm seeing TLS errors everywhere except the browser. They'd half-baked their internal CA rollout, so wasn't trusted properly.

By day two I started validating their setup. The CA literally had a typo in the company name, not a great sign.

A quick check with badssl.com showed that any self-signed(!) cert was being transparently MITM'ed and re-signed by their trusted corporate cert. Took them 40 days to fix it.

Another fun side-effect of this is that devs will just turned off TLS verification, so their codebase is full of `curl -k`, `verify_mode = VERIFY_NONE`, `ServerCertificateValidationCallback = () => true`, ... Exactly the thing you want to see at a big fintech company /s

discuss

lisbbb|2 months ago

I've experienced similar. It has definitely made me less enthusiastic about working for any of those fools ever again. It's all just an exercise in mediocrity. The illiterate emails people send out are even worse--I swear that a lot of US born adults are functionally illiterate.