I had to look at some of these devices from a security standpoint and I was shocked that they would resign a SSL connection without first checking that the original certificate was good. They would accept anything even vaguely certificate shaped and happily resign it with their own cert. Didn't matter if it was expired, for the wrong domain, in a CRL, or even self signed.
I'm guessing this was for performance reasons, but it was a really shocking disregard for the entire reason we are running TLS in the first place.
If your own workplace uses one of these DPI MITM TLS devices, I suggest you hit up https://badssl.com/dashboard/ and see what it allows through. Some of these are configurable and you may be able to convince your admins to fix some of the more egregious failures.
I was also doing this a few years ago, so hopefully the situation has improved since then.
You're assuming that the people who buy these things care about security. They don't, they care about creating a digital Panopticon. What happens to data when it leaves the corporate network is irrelevant to their interests.
I'm guessing this was for performance reasons, but it was a really shocking disregard for the entire reason we are running TLS in the first place.
If your own workplace uses one of these DPI MITM TLS devices, I suggest you hit up https://badssl.com/dashboard/ and see what it allows through. Some of these are configurable and you may be able to convince your admins to fix some of the more egregious failures.
I was also doing this a few years ago, so hopefully the situation has improved since then.