Risks associated with DPI-SSL exlusion list
Why kind of certificate 'failures' are deemed low-risk? I'm certainly not a security expert but it seems there are basically 3 categories of CA failures: (1) bad/missing/expired CA from a legitimate site, (2) CA failure due to SSL Pinning (preventing MITM inspection) from a legitimate site, and (3) bad/missing/expired CA or SSL pinning from a malicious site. It seems reasonable to consider bypassing DPI-SSL for category (2), and possibly (1), especially if we need to "do business" with that particular site.
When we add a URL to the DPI-SSL exlusion list list, we're basically saying, "we know there are going to be certificate issues with this site, so we just won't do the DPI on encrypted traffic" - potentially giving a malicious site easy opportunity to drop a malicious payload from an encrypted stream.
Of course, the low-risk path is to not bypass a site with certificate issues. But with browsers now enforcing encrypted connections, legitimate sites that didn't bother with certs before are now getting their affairs in order, and the major sites are also doing SSL pinning, to eliminate the possibility of MITM inspection. Once "most" of the Web is serving up encrypted traffic, and even doing SSL pining, what power will advanced firewalls have in that situation? (This is more of philosophical question than technical - maybe?)
So for the near term, for legitimate sites that are (or expected to be) doing SSL pinning, what do we look for in the CA failure message? Is it failure in the initial handshake? Simmilary for possible "bad guy" sites, what are the certificate failures that might be a red flag to not add to the DPI bypass list? TIA!