Firewall Wizards mailing list archives
RE: RPCs over HTTPS through the firewall
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 22 Apr 2003 10:54:10 +0200
No. ben (more below)
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of david singleton Sent: Monday, 21 April 2003 7:18 PM To: firewall-wizards () honor icsalabs com Microsoft's Outlook 11 can envelope its RPC traffic in HTTPS and thereby go through the firewall on port 443 to connect to the Exchange server. Is this thought to be anymore risky than conventional port 443 traffic? David
There are several ways I look at this. First of all, it's way better to encapsulate something as icky as RPC if you're going to send it through the Big Wide Internet. Especially in SSL, since it's mostly secure. (Anyone know if MS do RSA blinding in their default crypto library?) Second, in some ways this should make FW guys happy, because previously we had to jump through many hoops to make MS stuff talk RPC through firewalls, whereas SSL an at least be controlled via a single port, and using TCP state, at the least. Finally, "conventional" port 443 traffic basically contains unsecured, unsecureable rubbish, passing through the firewall encrypted, so that it's all one Big River of Risk as far as an admin is concerned. Does it matter much if we add RPC to the sludge? Nnnnnnnope. Allowing SSL traffic to pass encrypted through the firewall is always going to be a compromise between user privacy and the risk of 3v1l 5tuph being tunneled through the firewall. The technology does exist, in a clumsy way, to read the traffic. Most businesses have, either through design or laziness, chosen privacy. (PLEASE let me be spared the rant here about how "businesses have a right to read all their employee's traffic" - it's incorrect, even in the more insane legal climates on the planet, it's really a question of philosophy, and it isn't really relevant ;) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RPCs over HTTPS through the firewall david singleton (Apr 21)
- Re: RPCs over HTTPS through the firewall Volker Tanger (Apr 22)
- RE: RPCs over HTTPS through the firewall Ben Nagy (Apr 22)
- RE: RPCs over HTTPS through the firewall Mark Tinberg (Apr 25)
- RE: RPCs over HTTPS through the firewall Ben Nagy (Apr 25)
- RE: RPCs over HTTPS through the firewall Gwendolynn ferch Elydyr (Apr 25)
- RE: RPCs over HTTPS through the firewall Mark Tinberg (Apr 25)