[conspire] Cloudbleed ahoy

[Rick Moen]

Quoting Nick Moffitt (nick at zork.net):

> Gosh, it's almost as if having one company MITM all TLS connections on
> the Internet is a bad idea or something.

The firm I most recently worked for ran a separate division to operate a
'merchant bank', which is to say an operation that processed online
credit card transactions for the main firm and for a variety of outside
clients.  I was one of the Operations people building and then running
the merchant bank.  For _that_ part of the overall firm, there was
absolutely no question that zero outsourced traffic of any kind would be
tolerable, as we had to take PCI (Personal Card Industries) security
certification requirements very seriously.

I would _hope_ that any firm with medium/high security sensitivity like
banks and medical establishments would do likewise, but, well, making
that assumption is setting one's self up for disappointment.  As we said
for a while after the 1997 San Diego cult-suicide horror, 'So many
idiots, so few comets.'