SSL Filtering

["Jason Sloderbeck" <jason () positivenetworks net>]

Now you can buy products off-the-shelf that man-in-the-middle SSL with
the "new feature" called SSL Filtering; both WebWasher and Secure
Computing are offering this functionality.

In summary, the transparent SSL proxy dynamically issues certificates
for any SSL server you try to communicate with (e.g. "etrade.com"),
which allows it to act as though it were the actual server and proxy,
decrypt, and filter all SSL information from the server. Somehow or
another, your browser must trust the proxy server's own root CA. Of
course, your company's security policy will surely require you to do so.

A whitepaper is available that includes a poignant section labeled "What
Are Employees Trying To Hide?" (check the diagram near the bottom for a
process flow diagram):
http://www.webwasher.com/enterprise/download/white_paper/en_SSL.pdf

Here's an eWeek article on the topic:
http://www.eweek.com/article2/0,4149,1342951,00.asp

> From the article: "Because SSL is a secure and encrypted connection, it
has been impossible to scan SSL connections for viruses or to apply
content filters to the information that passes through an SSL
connection. ... If a visitor to the company uses the network to access a
secure Web-mail client, it makes it possible to break this security and
scan a user's mail."

Note that companies that use CONNECT to tunnel secure communication and
don't use SSL or other PKI-derived methods /for authentication/ can not
be man-in-the-middled by this. So, SSL as a protocol may be fine, but
this is one more reason not to get too comfortable with its PKI.

-Jason


--
Jason Sloderbeck
Positive Networks
http://www.positivenetworks.net/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html