Full Disclosure mailing list archives
Re: SSL Filtering
From: "John Sec" <john_sec_lists () hotmail com>
Date: Fri, 17 Oct 2003 17:46:41 +0000
Now you can buy products off-the-shelf that man-in-the-middle SSL with the "new feature" called SSL Filtering; both WebWasher and Secure Computing are offering this functionality. In summary, the transparent SSL proxy dynamically issues certificates for any SSL server you try to communicate with (e.g. "etrade.com"), which allows it to act as though it were the actual server and proxy, decrypt, and filter all SSL information from the server. Somehow or another, your browser must trust the proxy server's own root CA. Of course, your company's security policy will surely require you to do so. A whitepaper is available that includes a poignant section labeled "What Are Employees Trying To Hide?" (check the diagram near the bottom for a process flow diagram): http://www.webwasher.com/enterprise/download/white_paper/en_SSL.pdf Here's an eWeek article on the topic: http://www.eweek.com/article2/0,4149,1342951,00.asp From the article: "Because SSL is a secure and encrypted connection, it has been impossible to scan SSL connections for viruses or to apply content filters to the information that passes through an SSL connection. ... If a visitor to the company uses the network to access a secure Web-mail client, it makes it possible to break this security and scan a user's mail." Note that companies that use CONNECT to tunnel secure communication and don't use SSL or other PKI-derived methods /for authentication/ can not be man-in-the-middled by this. So, SSL as a protocol may be fine, but this is one more reason not to get too comfortable with its PKI. -Jason
Is there a way to detect if this MITM is being performed? _________________________________________________________________Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SSL Filtering Jason Sloderbeck (Oct 16)
- Re: SSL Filtering - OFFTOPIC Kurt Seifried (Oct 16)
- Re: SSL Filtering Shawn McMahon (Oct 17)
- <Possible follow-ups>
- Re: SSL Filtering John Sec (Oct 17)
- Re: SSL Filtering Blue Boar (Oct 17)
- Re: SSL Filtering Brian Hatch (Oct 17)
- Re: SSL Filtering Blue Boar (Oct 17)