Security Basics mailing list archives

RE: Preventing tunnels through HTTPS proxies

From: Mariusz Kruk <kruk () epsilon eu org>
Date: Fri, 19 Jun 2009 08:42:13 +0200

On Thu, 2009-06-18 at 13:38 -0400, Erik Soosalu wrote:

Read his paragraph again - he talks about re-encrypting the traffic with
a Private CA.  In a MS environment, this would be easy to push out the
private cert via GPO.

The problem with this is that you've just eliminated the
Authentication aspect of an SSL connection, as you are effectively
MITMing the connection using your cert which will be trusted by all
clients if the client were to visit a site using an invalid SSL cert
they will NOT see the SSL certificate warnings they would otherwise
see.

Although I suppose you could validate the SSL certs server-side and
only pass connections to servers with a cert signed by a CA you trust,
but then an invalid SSL cert is not always a problem and you may be
blocking access to sites which are legitimate but have an invalid cert
for one reason or another.

That's what the appliance we use does - validate every certificate en route.  It does this as well without the inside 
SSL inspection as well if you want.

We hit maybe one or two certs per month we have to do a manual allow.


But it's not a solution. It's just a workaround.
The problem, as I see it is not the SSL tunnel itself. It's the users
connecting via unauthorised means. And we still can bypass the filters
by, for example (I think someone already mentioned that) sending
encrypted data as arguments of HTTP POST request via SSL connection.
It'd get passed as legitimate HTTP traffic while being in fact a VPN
connection.
If such re-encrypting appliances become more commonly used, I'd bet
we'll see more of such multi-layer techniques as I described above.

-- 
d'`'`'`'`'`'`'`'`'`'`'`'`'Yb You   meant   to   type  ##  instead  of  #,
`b  Kruk () epsilon eu org   d' right?(TeX)
d' http://epsilon.eu.org/ Yb 
`b,-,.,-,.,-,.,-,.,-,.,-,.d' 


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

Current thread:

Preventing tunnels through HTTPS proxies Michal Ludvig (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
  - RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
    - Re: Preventing tunnels through HTTPS proxies Morgan Reed (Jun 18)
    - RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 18)
    - RE: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 19)
- Re: Preventing tunnels through HTTPS proxies Jared Curtis (Jun 17)
  - RE: Preventing tunnels through HTTPS proxies Ken Kousky (Jun 18)
- Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 17)
  - Message not available
    - Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 18)
- Re: Preventing tunnels through HTTPS proxies William Warren (Jun 17)