Re: Checkpoint smart defance as IPS

[Shreyas Zare <shreyas () secfence com>]

Hi Craig,

I think you should read some basics from wikipedia [
http://en.wikipedia.org/wiki/Transport_Layer_Security#How_it_works ]

In short, you can *only* MITM SSL/TLS for a website if you have the
private key of the certificate installed on the website OR if you are
a certification authority (CA) trusted by the victim and make a fake
certificate on the fly at your proxy/gateway for the website
requested.

If it was possible as you claimed, the protocol will be totally broken
and it will be front page news article.

Regards,

Shreyas Zare

Sr. Information Security Researcher
Secfence Technologies
www.secfence.com


On Wed, Jun 2, 2010 at 4:54 AM, Craig S. Wright
<craig.wright () information-defense com> wrote:
> Actually, no.
>
> You are forgetting that the gateway can also intercept and modify DNS
> traffic. SSL relies on DNS resolution. If you intercept the DNS traffic and
> change the destination to one controlled by the gateway, you can have a
> signed RA cert at the gateway. The browser trusts the signer, and you go
> from there.
>
> SSL does not let you know if you have been sent to the correct site. SSL
> only lets you know that the DNS address (as returned to your host) matches
> the name in the certificate. You have to think outside of SSL and web
> traffic. There are other components, but it is doable.
>
> DNSSec does cause problems, but if we are talking a corporate site, the
> control of DNS is also controlled.
>
> Regards,
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Shreyas Zare
> Sent: Tuesday, 1 June 2010 2:58 AM
> To: security-basics () securityfocus com
> Subject: Re: Checkpoint smart defance as IPS
>
> Hi,
>
> Yes, but as Bretten Andrew mentioned earlier, the client machine needs
> to trust an internal CA (which will be used to dynamically generate
> cert for SSL MITM that matches the site being visited by user)
>
> Regards,
>
> --
> Shreyas Zare
>
> Sr. Information Security Researcher
> Secfence Technologies
> www.secfence.com
>
>
> On Sun, May 30, 2010 at 2:40 AM, Craig S. Wright
> <craig.wright () information-defense com> wrote:
> > Not at all. Your comment was:
> > "An IPS that decrypts SSL does not exist."
> >
> > This is blatantly false. IDS, IPS, Wireshark even all have SSL decryption
> > capabilities. There is no requirement for a separate proxy.
> >
> > Checkpoint has this capability. NO extra proxy. You seem to be missing
> that
> > distinction.
> >
> > Regards,
> > ...
> > Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> > Information Defense Pty Ltd
> >
> >
> >
> > -----Original Message-----
> > From: Trevor Alexander [mailto:trevor.alexander.email () gmail com]
> > Sent: Sunday, 30 May 2010 4:28 AM
> > To: <craig.wright () Information-Defense com>
> > Cc: Laurens Vets; <mzcohen2682 () aim com>;
> <security-basics () securityfocus com>
> > Subject: Re: Checkpoint smart defance as IPS
> >
> > You are saying the same thing me and anyone else who has posted on the
> > topic is saying, you're just using different words. You should read
> > the whole thread before you make comments.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------