Firewall Wizards mailing list archives
RE: Back onto reverse proxies
From: "Paul D. Robertson" <proberts () clark net>
Date: Wed, 28 Mar 2001 20:50:07 -0500 (EST)
On Wed, 28 Mar 2001, Ben Nagy wrote: Hi, I generally agree wtih Ben, but I think I have a small issue...
sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it.Uh...no. Proxy servers do not and cannot decrypt / re-encrypt SSL traffic.
Sure they can- (a) they can act as the end server, present a valid certificate and then go do an SSL session for outbound (I've actually advocated this for some environments- it adds the ability to do ActiveX/VBS/Java stripping for instance- and if you own DNS or force proxy usage, it's pretty easy.) (b) they can rewrite the inbound URLs to point to a different server. I've also thought that there may be a way with the proxy-specific stuff to do redirects or some other transport thing, but I've been unable to find a good spec. and not too interested in it lately. (c) If NSA is still going up and down the Valley and MD/VA/DC area pimping key escrow, that could eventually become the vector to do this stuff. (d) lastly, if you control the site and the proxy, you can share the cert and key exchange with the proxy. (e) Given how often people don't update stuff and the lack of real CRLs for old implementations, if a valid signing cert (for generic stuff) or site cert (seen them on broken Web servers before) ever gets leaked, it'll be pretty easy to MITM. I think I've seen something within the last year to MITM as a proxy (it's easier to do on the far end than the near end, but I suppose you could do some nasty framing stuff and still get away with it on the front end if the end server accepts anybody (no client side certs., which seems to be the norm.)
A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks[...] That sort of proxy would be an SSL accelerator. It would almost never be
Technically, it's only an SSL accelerator if it does fast crypto- a config of mod_rewrite would do the same thing without any accelleration- in fact it'd probably slow things down. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Back onto reverse proxies stuart.flisher (Mar 27)
- <Possible follow-ups>
- RE: Back onto reverse proxies Ben Nagy (Mar 28)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- RE: Back onto reverse proxies stuart.flisher (Mar 29)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- Re: Back onto reverse proxies ark (Mar 28)