Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SKYPE - What's the latest in terms of Risk...

From: David Morton <dmorton () U WASHINGTON EDU>
Date: Thu, 20 Dec 2007 09:00:34 -0800
I thought that PaloAlto Networks solutions work as an SSL proxy
(similar to BlueCoat, etc).  In this case it must sit inline and
terminate and regenerate all encrypted tunnels. I've looked at packet
flows in this area for a while, but my understanding was that the
client always received a cert from the proxy (with the public key of
the destination server)

Client |<------SSL Tunnel--------->| Proxy |<--------SSL Tunnel------
>| HTTPS Web site

I wasn't aware that they had the ability to actually to transparently
decrypt SSL.  If they can do this, it is both cool and scary.

Mike do you have more info on their capabilities?


David

On Dec 20, 2007, at 8:08 AM, Terry Gray wrote:


Wow... talk about a two-edged sword.

Does this product go in the "Be careful what you ask for" category?
Should we also become Clipper chip enthusiasts?

-teg

On Thu, 20 Dec 2007, Mike Corcoran wrote:


Scott Koger wrote:

As long as the application continues to use encryption
for the traffic, there is no way to inspect the traffic
(huge hole for unintended data leakage)


Not True, at least in general.  The new firewall from
PaloAlto Networks decrypts SSL traffic by doing a
man-in-the-middle attack, and allows  you to filter
even on encrypted traffic.  I don't know if there are
any issues with Skype's SSL implementation, but PaloAlto
gave me the impression that they could decode most if not
all SSL implementations.  They have not cracked ssh yet,
but they are working on it.  We plan to evaluate PaloAlto's
product early next year.

Mike
--
Mike Corcoran, Systems Security Engineer
Wright State University, CaTS
Voice:937-775-2431, Fax:937-775-4049
http://www.cats.wright.edu/
Previous By Date Next
Previous By Thread Next

Current thread: