Firewall Wizards mailing list archives
Re: Security of HTTPS
From: David Lang <david.lang () digitalinsight com>
Date: Sat, 25 Dec 2004 00:10:16 -0800 (PST)
sorry for the late reply, catching up on my mail On Wed, 1 Dec 2004, Kevin wrote:
Getting back on the topic of firewalls, I wonder if it would be possible for a firewall not doing MITM for SSL to validate the certificate presented by the remote server, and terminate the attempted SSL session if the certificate does not match the remote host, is not signed by an acceptable CA or has been revoked?
the problem is that the firewall doesn't know what the client is expecting to see in the cert. it could check to see if the cert was signed by a known orginization, but not if the identity of the host matches the identity stipulated in the cert
David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Security of HTTPS Ben Nagy (Dec 02)
- <Possible follow-ups>
- RE: Security of HTTPS Dave Piscitello (Dec 02)
- Re: Security of HTTPS Kevin (Dec 05)
- RE: Security of HTTPS Ben Nagy (Dec 07)
- Re: Security of HTTPS David Lang (Dec 26)