Educause Security Discussion mailing list archives
Re: SKYPE - What's the latest in terms of Risk...
From: Charlie Prothero <Charlie.Prothero () KEYSTONE EDU>
Date: Thu, 20 Dec 2007 21:07:11 -0500
I am not a lawyer, but this sounds like the "scanning" vs. "reading" debate that recently ensued in regard to Gmail scanning for ad placement purposes. Most of our networks are the private property of our respective institutions, and we have policy statements indicating that the networks exist for institutional business purposes and that we reserve the right to inspect traffic going through them. An inline scanner configured to execute institutional policy re: bandwidth usage, QOS, etc, sounds like a good thing - provided it doesn't store what it inspects. Most of us already do this with packet shapers. This device just seems to take it a step further. - Charlie ________________________________ From: Bill Brinkley [mailto:wbbrinkley () GMAIL COM] Sent: Thursday, December 20, 2007 7:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: SKYPE - What's the latest in terms of Risk... I would also be interested to know how this is accomplished. Would you inform the end user that the institution is decrypting traffic? How would you keep from violating the Computer Fraud and Abuse Act <http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act> ? Decrypting bank, government or military communications might violate Federal law. -Bill Brinkley Sr. Security Analyst On Dec 20, 2007 12:00 PM, David Morton < dmorton () u washington edu> wrote: I thought that PaloAlto Networks solutions work as an SSL proxy (similar to BlueCoat, etc). In this case it must sit inline and terminate and regenerate all encrypted tunnels. I've looked at packet flows in this area for a while, but my understanding was that the client always received a cert from the proxy (with the public key of the destination server) Client |<------SSL Tunnel--------->| Proxy |<--------SSL Tunnel------
| HTTPS Web site
I wasn't aware that they had the ability to actually to transparently decrypt SSL. If they can do this, it is both cool and scary. Mike do you have more info on their capabilities? David On Dec 20, 2007, at 8:08 AM, Terry Gray wrote:
Wow... talk about a two-edged sword. Does this product go in the "Be careful what you ask for" category? Should we also become Clipper chip enthusiasts? -teg On Thu, 20 Dec 2007, Mike Corcoran wrote:Scott Koger wrote:As long as the application continues to use encryption for the traffic, there is no way to inspect the traffic (huge hole for unintended data leakage)Not True, at least in general. The new firewall from PaloAlto Networks decrypts SSL traffic by doing a man-in-the-middle attack, and allows you to filter even on encrypted traffic. I don't know if there are any issues with Skype's SSL implementation, but PaloAlto gave me the impression that they could decode most if not all SSL implementations. They have not cracked ssh yet, but they are working on it. We plan to evaluate PaloAlto's product early next year. Mike -- Mike Corcoran, Systems Security Engineer Wright State University, CaTS Voice:937-775-2431, Fax:937-775-4049 http://www.cats.wright.edu/
Current thread:
- SKYPE - What's the latest in terms of Risk... Sadler, Connie (Dec 19)
- <Possible follow-ups>
- Re: SKYPE - What's the latest in terms of Risk... Scott Koger (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Mike Corcoran (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Terry Gray (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Tristan RHODES (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... David Morton (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... David Gillett (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Cal Frye (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Randall C Grimshaw (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Bill Brinkley (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Charlie Prothero (Dec 20)
- Re: SKYPE - What's the latest in terms of Risk... Chris Edwards (Dec 21)
- Re: SKYPE - What's the latest in terms of Risk... Vincent Stoffer (Dec 21)