RE: SSL - Man-in-the-Middle filtering

["Scalcione.David" <SCALCIONED () YANB com>]

> is there any standard mechanism (in SSL standard or in HTTP standard)
> to send actual CA certificate to the browser by forward proxies?

I think that would defeat the whole purpose of SSL. The whole point of SSL is to warn the user if they don't trust the 
CA. Users would need to manually install that CA cert before that kind of IPS system would work. Otherwise they'd get a 
security warning every time they access an SSL connection. If it WERE possible to make the browser display a prompt to 
install the CA cert, the IPS device would not know if the user ever installed it and would prompt them to install it 
every time they opened an SSL connection. Also, remember, any protocol can travel through SSL. It's not always a 
browser as the SSL client, could be email, VPN, etc.


Dave

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ravi Chunduru
Sent: 08 December 2007 18:33
To: focus-ids () securityfocus com
Subject: SSL - Man-in-the-Middle filtering

it seems that some network IPS devices and application firewalls are
not only providing SSL based HTTP inspection on server side, but also
on client side (i know  of one IPS device which is in beta testing).
i understand that it is required as attacks can be sent in SSL to
avoid blocking.

when deployed on client side, these devices resign certificates (of
public servers) with local CA certificate. i see two aspects to it -
users need to trust local authority (enterprise administrators) and
second is users will have  false sense of security (that is users are
no longer see the actual CA of server certificate).

any comments on acceptance of this functionality in enterprise deployments?

is there any standard mechanism (in SSL standard or in HTTP standard)
to send actual CA certificate to the browser by forward proxies?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------ 
 
The information contained in this communication is confidential and privileged information intended only for the use of 
the individual or entity to which it is addressed. If you are not the addressee indicated in this message (or an agent 
responsible for delivery of the message to such person), you are hereby notified that you have received this 
communication in error and that any review, dissemination, copying, or any action or omission taken by you in reliance 
on it, is strictly prohibited. Please destroy this message and notify the sender immediately if you have received it in 
error.
Please also advise immediately if you or your employer do not consent to e-mail communications. Opinions, conclusions 
and other information in this message that do not relate to the official business of Yardville National Bank shall be 
understood as neither given nor endorsed by it.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------