Security Basics mailing list archives
RE: Question on appliances that do "decryption" of SSL
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 25 Apr 2011 12:06:34 -0700
Usually the device is a proxy -- the client connects to the device, and the device to the server on the client's behalf. Obviously the device needs to offer the client a trusted certificate with a public key for which the device itself has the private key. Yes, you can break this by removing your browser's trust of the device's certificate signature. But typically that does NOT mean that you get an encrypted session that the box can't decrypt -- it means you get NO connection. Moral: If you don't want your employer to be able to see what you are doing, don't use their equipment/network to do it. David Gillett -----Original Message----- From: Ray Van Dolson [mailto:rvdolson () gmail com] Sent: Thursday, April 21, 2011 12:00 To: security-basics () securityfocus com Subject: Question on appliances that do "decryption" of SSL Hearing a lot from vendors these days that do "decryption" of SSL (usually in the form of HTTPS presumably). I've been trying to think up how this could be implemented: - Somehow the device has the private key of the remote site being accessed (unlikely for Internet sites) - The device presents a certificate that is "valid" to the browser/client and then transparently proxies on to the "real" site. Am I missing some other method? This would be easy enough to circumvent by removing your "organization" as a trusted CA from your browser... I'd think also this could introduce concerns where an invalid certificate is being used on the "real" site, though obviously the MITM device could relay this back tot he client with a bit of intelligence I suppose. Thoughts? Thanks, Ray ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Question on appliances that do "decryption" of SSL Ray Van Dolson (Apr 25)
- RE: Question on appliances that do "decryption" of SSL David Gillett (Apr 26)
- Re: Question on appliances that do "decryption" of SSL Edd Burgess (Apr 26)
- Re: Question on appliances that do "decryption" of SSL DaKahuna (Apr 27)
- Re: Question on appliances that do "decryption" of SSL Edd Burgess (Apr 26)
- Re: Question on appliances that do "decryption" of SSL Paul Johnston (Apr 26)
- <Possible follow-ups>
- Re: Question on appliances that do "decryption" of SSL kaarthik rm (Apr 27)
- RE: Question on appliances that do "decryption" of SSL David Gillett (Apr 26)