Educause Security Discussion mailing list archives
What are people doing with the risks of SSL proxies with Cell carriers?
From: James H Moore <jhmfa () RIT EDU>
Date: Mon, 12 Dec 2005 12:54:13 -0500
We are in the process of developing a standard for handheld devices. We had a risk surface in one of our meetings. With PocketPC smartphones, and Exchange, we have long had a requirement for SSL encryption. I naively assumed that it was end-to-end. I hadn't really looked at the technology. But it seems that some carriers proxy the SSL, with a essentially a contractual man-in-the-middle. I was wondering how others viewed that. The second question had to do with risk management techniques (does anyone with smartphones have business associate agreements with their carriers Jim P.S. There was also interest in using Outlook Mobile Access (text based) so that not-so-smart phones could be used. But the information that I get is that OMA will connect either http or https, and there is a way to force this, but if there is an SSL proxy, then the Cell carrier may connect to the phone http (if that is all that it supports) and then connect into OMA with https. - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio
Current thread:
- What are people doing with the risks of SSL proxies with Cell carriers? James H Moore (Dec 12)