Re: SKYPE - What's the latest in terms of Risk...

[Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>]

I am not a lawyer, but this sounds like the "scanning" vs. "reading"
debate that recently ensued in regard to Gmail scanning for ad placement
purposes.  Most of our networks are the private property of our
respective institutions, and we have policy statements indicating that
the networks exist for institutional business purposes and that we
reserve the right to inspect traffic going through them.  An inline
scanner configured to execute institutional policy re: bandwidth usage,
QOS, etc, sounds like a good thing - provided it doesn't store what it
inspects.  Most of us already do this with packet shapers.  This device
just seems to take it a step further.  

 

- Charlie

 

________________________________

From: Bill Brinkley [mailto:wbbrinkley () GMAIL COM] 
Sent: Thursday, December 20, 2007 7:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: SKYPE - What's the latest in terms of Risk...

 

I would also be interested to know how this is accomplished. 

Would you inform the end user that the institution is decrypting
traffic? How would you keep from violating the Computer Fraud and Abuse
Act <http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act> ?
Decrypting bank, government or military communications might violate
Federal law.

-Bill Brinkley
Sr. Security Analyst

On Dec 20, 2007 12:00 PM, David Morton < dmorton () u washington edu>
wrote:

I thought that PaloAlto Networks solutions work as an SSL proxy 
(similar to BlueCoat, etc).  In this case it must sit inline and
terminate and regenerate all encrypted tunnels. I've looked at packet
flows in this area for a while, but my understanding was that the
client always received a cert from the proxy (with the public key of 
the destination server)

Client |<------SSL Tunnel--------->| Proxy |<--------SSL Tunnel------
> | HTTPS Web site

I wasn't aware that they had the ability to actually to transparently
decrypt SSL.  If they can do this, it is both cool and scary.

Mike do you have more info on their capabilities?


David


On Dec 20, 2007, at 8:08 AM, Terry Gray wrote: 

> Wow... talk about a two-edged sword.
>
> Does this product go in the "Be careful what you ask for" category?
> Should we also become Clipper chip enthusiasts?
>
> -teg
>
> On Thu, 20 Dec 2007, Mike Corcoran wrote:
>
> > Scott Koger wrote:
> > > As long as the application continues to use encryption
> > > for the traffic, there is no way to inspect the traffic 
> > > (huge hole for unintended data leakage)
> >
> > Not True, at least in general.  The new firewall from
> > PaloAlto Networks decrypts SSL traffic by doing a
> > man-in-the-middle attack, and allows  you to filter 
> > even on encrypted traffic.  I don't know if there are
> > any issues with Skype's SSL implementation, but PaloAlto
> > gave me the impression that they could decode most if not
> > all SSL implementations.  They have not cracked ssh yet, 
> > but they are working on it.  We plan to evaluate PaloAlto's
> > product early next year.
> >
> > Mike
> > --
> > Mike Corcoran, Systems Security Engineer
> > Wright State University, CaTS 
> > Voice:937-775-2431, Fax:937-775-4049
> > http://www.cats.wright.edu/