Firewall Wizards mailing list archives
SSL proxy info
From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 18 Sep 1997 13:06:47 -0400 (EDT)
I was just wondering if anyone had a consensus of SSL proxy capabilities from a firewall perspective. There seem to be three general schemes, the first is to just pass the encrypted transport straight through, which ensures the user's privacy, but not the site's security. The second is one which allows the HTTP headers to be examined, but not the data, which in my mind seems almost as bad security-wise as the first, though at least you can check site names, and do connection policy enforcement somewhat. The last is to get a proxy with specific support for what ammounts to a MITM attack on the crypto, and allows complete inspection of the packet contents prior to re-encryption. At the moment I'm strongly favoring the last, as I don't think that from a business perspective, there's a good deal of argument for not being able to inspect packets, but I was wondering if anyone else had specific thoughts on the issues, and generally available implementations. Patent-wise, given the expiration of Diffie-Hellman (6 Sep), and the pending expiration of Hellman-Merkle (6 Oct), freely available SSL with V3.0 (D-H, SHA, DES) is now a possibility in the US (for as long as the government stays away), and I see this as an important change. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- SSL proxy info Paul D. Robertson (Sep 18)
- Re: SSL proxy info Adam Shostack (Sep 19)
- Re: SSL proxy info Paul D. Robertson (Sep 19)
- Re: SSL proxy info Adam Shostack (Sep 19)
- Re: SSL proxy info Paul D. Robertson (Sep 20)
- Re: SSL proxy info Adam Shostack (Sep 20)
- Re: SSL proxy info Paul D. Robertson (Sep 20)
- Re: SSL proxy info Paul D. Robertson (Sep 19)
- Re: SSL proxy info Adam Shostack (Sep 19)