Security Basics mailing list archives
Re: Checkpoint smart defance as IPS
From: Shreyas Zare <shreyas () secfence com>
Date: Wed, 2 Jun 2010 21:18:34 +0530
Hi Craig, I think you should read some basics from wikipedia [ http://en.wikipedia.org/wiki/Transport_Layer_Security#How_it_works ] In short, you can *only* MITM SSL/TLS for a website if you have the private key of the certificate installed on the website OR if you are a certification authority (CA) trusted by the victim and make a fake certificate on the fly at your proxy/gateway for the website requested. If it was possible as you claimed, the protocol will be totally broken and it will be front page news article. Regards, Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com On Wed, Jun 2, 2010 at 4:54 AM, Craig S. Wright <craig.wright () information-defense com> wrote:
Actually, no. You are forgetting that the gateway can also intercept and modify DNS traffic. SSL relies on DNS resolution. If you intercept the DNS traffic and change the destination to one controlled by the gateway, you can have a signed RA cert at the gateway. The browser trusts the signer, and you go from there. SSL does not let you know if you have been sent to the correct site. SSL only lets you know that the DNS address (as returned to your host) matches the name in the certificate. You have to think outside of SSL and web traffic. There are other components, but it is doable. DNSSec does cause problems, but if we are talking a corporate site, the control of DNS is also controlled. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Shreyas Zare Sent: Tuesday, 1 June 2010 2:58 AM To: security-basics () securityfocus com Subject: Re: Checkpoint smart defance as IPS Hi, Yes, but as Bretten Andrew mentioned earlier, the client machine needs to trust an internal CA (which will be used to dynamically generate cert for SSL MITM that matches the site being visited by user) Regards, -- Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com On Sun, May 30, 2010 at 2:40 AM, Craig S. Wright <craig.wright () information-defense com> wrote:Not at all. Your comment was: "An IPS that decrypts SSL does not exist." This is blatantly false. IDS, IPS, Wireshark even all have SSL decryption capabilities. There is no requirement for a separate proxy. Checkpoint has this capability. NO extra proxy. You seem to be missingthatdistinction. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: Trevor Alexander [mailto:trevor.alexander.email () gmail com] Sent: Sunday, 30 May 2010 4:28 AM To: <craig.wright () Information-Defense com> Cc: Laurens Vets; <mzcohen2682 () aim com>;<security-basics () securityfocus com>Subject: Re: Checkpoint smart defance as IPS You are saying the same thing me and anyone else who has posted on the topic is saying, you're just using different words. You should read the whole thread before you make comments.
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 01)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 03)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 03)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)
- Message not available
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 03)
- RE: Checkpoint smart defance as IPS Craig S. Wright (Jun 03)
- Re: Checkpoint smart defance as IPS Al MailingList (Jun 03)
- Re: Checkpoint smart defance as IPS Paul Johnston (Jun 07)
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 07)
- Re: Checkpoint smart defance as IPS John Morrison (Jun 07)
- Re: Checkpoint smart defance as IPS Shreyas Zare (Jun 03)
- Message not available