Question on appliances that do "decryption" of SSL

[Ray Van Dolson <rvdolson () gmail com>]

Hearing a lot from vendors these days that do "decryption" of SSL
(usually in the form of HTTPS presumably).  I've been trying to think
up how this could be implemented:

- Somehow the device has the private key of the remote site being
accessed (unlikely for Internet sites)
- The device presents a certificate that is "valid" to the
browser/client and then transparently proxies on to the "real" site.

Am I missing some other method?  This would be easy enough to
circumvent by removing your "organization" as a trusted CA from your
browser... I'd think also this could introduce concerns where an
invalid certificate is being used on the "real" site, though obviously
the MITM device could relay this back tot he client with a bit of
intelligence I suppose.

Thoughts?

Thanks,
Ray

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------