Firewall Wizards mailing list archives

RE: SSL

From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 18 Oct 2001 23:58:10 -0400 (EDT)

On Thu, 18 Oct 2001, Ames, Neil wrote:

I am baffled by how a proxy would handle the SSL exchange.  Aside from all
other issues related to this thread-such as defenses at the client, or the
break in end-to-end encryption--what is right or wrong with the following?

1) A user hits an SSL site with a cert (that the user's browser may or may
not trust, and the firewall's proxy may or may not trust).


Nope, the user has to hit the proxy first.

2) The proxy lets the user determine that the proxy is going to trust the
cert, according to some policy rule that allows that.


If you want to do this, why not just put a remote machine on the DMZ and
let users surf the Web via a remote display protocol (X over SSH, VNC over
SSH, Citrix...) and not worry about the internal vector anyway?

3) Proxy manages, somehow, to act as intermediary.  (This is what I don't
get.)


(a) Does a valid MITM attack SSL (version and feature specific.)
(b) Generates a valid-looking cert. for the target site and presents it
as if it were the target site.
(c) rewrites incomming https://[foo] URLs to
http[s]://my.proxy/mitm/[foo].
(d) perhaps does a redirect (I've got some untested theories in that area)
(e) Perhaps there's also a cross-site frame thing you can do with the
proxy (don't forget you can act like a real site in the domain as the
proxy then serve up your own copy of the page in the unencrypted frame.)

4) The proxy sets up the SSL tunnel with the remote site.
5) The proxy sets up the SSL tunnel with the users browser.
6) The proxy checks everything as it hands pieces of the user-Web site
exchange, filtering according to policy.

What am I missing, particularly in how steps 3 and 5 would work?


See above.  Note that this doesn't take into account modifying the
browser, browser plug-ins or crypto libraries, all of which also could
work (though plug-ins are an unknown and probably depend on
platform/browser.) 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SSL, (continued)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
  - RE: SSL R. DuFresne (Oct 18)
    - RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Scott, Richard (Oct 18)
  - RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
  - RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
  - RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
  - RE: SSL Paul D. Robertson (Oct 20)