RE: Back onto reverse proxies

["Paul D. Robertson" <proberts () clark net>]

On Wed, 28 Mar 2001, Ben Nagy wrote:

Hi, 

I generally agree wtih Ben, but I think I have a small issue...

> > sniffing of the network to find sensitive data. Hey but the 
> > server is a
> > proxy creating two connections decrypting inbound and then 
> > re-encrypting in
> > a different session outbound. This means that the data is decrypted
> > somewhere, probably in memory, allowing some clever git to read it.
>
> Uh...no. Proxy servers do not and cannot decrypt / re-encrypt SSL traffic.

Sure they can- (a) they can act as the end server, present a valid
certificate and then go do an SSL session for outbound (I've actually
advocated this for some environments- it adds the ability to do
ActiveX/VBS/Java stripping for instance- and if you own DNS or force
proxy usage, it's pretty easy.) (b) they can rewrite the
inbound URLs to point to a different server.  I've also thought that there
may be a way with the proxy-specific stuff to do redirects or some other
transport thing, but I've been unable to find a good spec. and not too
interested in it lately.  (c) If NSA is still going up and down the Valley
and MD/VA/DC area pimping key escrow, that could eventually become the
vector to do this stuff.  (d) lastly, if you control the site and the
proxy, you can share the cert and key exchange with the proxy. (e) Given
how often people don't update stuff and the lack of real CRLs for old
implementations, if a valid signing cert (for generic stuff) or site
cert (seen them on broken Web servers before) ever gets leaked, it'll be
pretty easy to MITM. 

I think I've seen something within the last year to MITM as a proxy (it's
easier to do on the far end than the near end, but I suppose you could do
some nasty framing stuff and still get away with it on the front end if
the end server accepts anybody (no client side certs., which seems to be
the norm.)  

> > A possible plus for a proxy that has inbound http/SSL and 
> > clear http to the
> > backend is that IDS boxes can read the http traffic looking 
> > for attacks
> [...]
>
> That sort of proxy would be an SSL accelerator. It would almost never be

Technically, it's only an SSL accelerator if it does fast crypto- a config
of mod_rewrite would do the same thing without any accelleration- in fact 
it'd probably slow things down.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards