Full Disclosure mailing list archives
Re: SSL Filtering - OFFTOPIC
From: "Kurt Seifried" <listuser () seifried org>
Date: Thu, 16 Oct 2003 22:34:07 -0600
Now you can buy products off-the-shelf that man-in-the-middle SSL with the "new feature" called SSL Filtering; both WebWasher and Secure Computing are offering this functionality.
Not new, I remember discussing this years ago, however implementation is another story.
In summary, the transparent SSL proxy dynamically issues certificates for any SSL server you try to communicate with (e.g. "etrade.com"), which allows it to act as though it were the actual server and proxy, decrypt, and filter all SSL information from the server. Somehow or another, your browser must trust the proxy server's own root CA. Of course, your company's security policy will surely require you to do so.
If you control the client to such a degree (being able to force installation of root authority certificates) then it's a moot point. If however you can trick the client into installing such a certificate, and maybe fiddle their DNS server settings at the same time, you have a larger problem. Like the SWEN virus did..... Personally I think this is going to be a huge area. Why dick around stealing credit card numbers/etc when you can simply sieze someone's online banking/brokering credentials, or a few hundred such accounts oh, just like Van T. Dinh did: http://www.theregister.co.uk/content/55/33320.html $90,000 for the cost of sending someone a small trojan. Not a bad risk/reward ratio, if you can figure out how to launder the money. Things will probably get a lot worse before they get well and truly bad, to say nothing of when they get utterly horrible. Sort of wish I'd patented this now ("one-click financial fraud"?). Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SSL Filtering Jason Sloderbeck (Oct 16)
- Re: SSL Filtering - OFFTOPIC Kurt Seifried (Oct 16)
- Re: SSL Filtering Shawn McMahon (Oct 17)
- <Possible follow-ups>
- Re: SSL Filtering John Sec (Oct 17)
- Re: SSL Filtering Blue Boar (Oct 17)
- Re: SSL Filtering Brian Hatch (Oct 17)
- Re: SSL Filtering Blue Boar (Oct 17)