Firewall Wizards mailing list archives
RE: SSL
From: Bruce Platt <Bruce () ei3 com>
Date: Fri, 19 Oct 2001 10:12:31 -0400
Paul D. Robertson wrote:
I haven't played with nimda server->client since the day it hit, so maybe my recollections are fuzzy, but it was my impression that the window open in hottips.htm would create another GET request for readme.eml- If it wasn't readme.eml, it was readme.exe. In either case, that GET request would expose its URL to an HTTPS proxy. The quick (HTTP not HTTPS) window.open test I just did locally via my home proxy confirms this behaviour, so please let me know if I'm missing something.
The window.open delivers the infected mail message which if one's Outlook is vulnerable ...
That's always been one of my arguments against packet filtering firewalls for sole protection for organizations who are concerned about active content issues. There's no surprise here for anyone who's gamed this out before. A proxy however is a different beast- since the packets are reassembled and parsed as such- the anti-javascript patches to http-gw are an example of how to do this (though the code is very, very ugly), it just needs an MITM attack to get the content in the clear (which was one of my goals in life at one point that Fred so fondly remembers.)
Yup, one does need the proxy to be a MITM to inspect the content, and the pros and con's of that are too lengthy here.
Server->server that's true, server->client the pages will serve just as well over https as they do over HTTP, but that javascript-nuking http proxy won't be effective in the least if you connect to the server via HTTPS without an MITM attack.
I want to make sure that people understand how vulnerable they are over HTTPS.
The point however is that at least thus far, people haven't been willing to even ask for "every defense" when it comes to encrypted traffic, and the balance between "privacy" for users and "security" for networks is increasingly going to become an issue.
Violent agreement. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: SSL, (continued)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)