Security Basics mailing list archives

RE: Preventing tunnels through HTTPS proxies

From: "Erik Soosalu" <eriks () nationalfastfreight com>
Date: Thu, 18 Jun 2009 13:38:27 -0400

-----Original Message-----
From: Morgan Reed [mailto:morgan.s.reed () gmail com]
Sent: Wednesday, June 17, 2009 11:03 PM
To: Erik Soosalu
Cc: Mariusz Kruk; security-basics () securityfocus com
Subject: Re: Preventing tunnels through HTTPS proxies

On Thu, Jun 18, 2009 at 04:27, Erik
Soosalu<eriks () nationalfastfreight com> wrote:

Read his paragraph again - he talks about re-encrypting the traffic with
a Private CA.  In a MS environment, this would be easy to push out the
private cert via GPO.


The problem with this is that you've just eliminated the
Authentication aspect of an SSL connection, as you are effectively
MITMing the connection using your cert which will be trusted by all
clients if the client were to visit a site using an invalid SSL cert
they will NOT see the SSL certificate warnings they would otherwise
see.

Although I suppose you could validate the SSL certs server-side and
only pass connections to servers with a cert signed by a CA you trust,
but then an invalid SSL cert is not always a problem and you may be
blocking access to sites which are legitimate but have an invalid cert
for one reason or another.


That's what the appliance we use does - validate every certificate en route.  It does this as well without the inside 
SSL inspection as well if you want.

We hit maybe one or two certs per month we have to do a manual allow.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Preventing tunnels through HTTPS proxies Michal Ludvig (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
  - RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
    - Re: Preventing tunnels through HTTPS proxies Morgan Reed (Jun 18)
    - RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 18)
    - RE: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 19)
- Re: Preventing tunnels through HTTPS proxies Jared Curtis (Jun 17)
  - RE: Preventing tunnels through HTTPS proxies Ken Kousky (Jun 18)
- Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 17)
  - Message not available
    - Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 18)
- Re: Preventing tunnels through HTTPS proxies William Warren (Jun 17)