Firewall Wizards mailing list archives
RE: SSL
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 18 Oct 2001 23:58:10 -0400 (EDT)
On Thu, 18 Oct 2001, Ames, Neil wrote:
I am baffled by how a proxy would handle the SSL exchange. Aside from all other issues related to this thread-such as defenses at the client, or the break in end-to-end encryption--what is right or wrong with the following? 1) A user hits an SSL site with a cert (that the user's browser may or may not trust, and the firewall's proxy may or may not trust).
Nope, the user has to hit the proxy first.
2) The proxy lets the user determine that the proxy is going to trust the cert, according to some policy rule that allows that.
If you want to do this, why not just put a remote machine on the DMZ and let users surf the Web via a remote display protocol (X over SSH, VNC over SSH, Citrix...) and not worry about the internal vector anyway?
3) Proxy manages, somehow, to act as intermediary. (This is what I don't get.)
(a) Does a valid MITM attack SSL (version and feature specific.) (b) Generates a valid-looking cert. for the target site and presents it as if it were the target site. (c) rewrites incomming https://[foo] URLs to http[s]://my.proxy/mitm/[foo]. (d) perhaps does a redirect (I've got some untested theories in that area) (e) Perhaps there's also a cross-site frame thing you can do with the proxy (don't forget you can act like a real site in the domain as the proxy then serve up your own copy of the page in the unencrypted frame.)
4) The proxy sets up the SSL tunnel with the remote site. 5) The proxy sets up the SSL tunnel with the users browser. 6) The proxy checks everything as it hands pieces of the user-Web site exchange, filtering according to policy. What am I missing, particularly in how steps 3 and 5 would work?
See above. Note that this doesn't take into account modifying the browser, browser plug-ins or crypto libraries, all of which also could work (though plug-ins are an unknown and probably depend on platform/browser.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SSL, (continued)
- Re: SSL R. DuFresne (Oct 18)
- Re: SSL teo (Oct 18)
- Re: SSL Patrick M. Hausen (Oct 18)
- RE: SSL Stefan Norberg (Oct 18)
- RE: SSL Bruce Platt (Oct 18)
- RE: SSL Scott, Richard (Oct 18)
- RE: SSL Illes Marci (Oct 20)
- RE: SSL Ames, Neil (Oct 18)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Chad Schieken (Oct 20)
- RE: SSL Dawes, Rogan (ZA - Johannesburg) (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)
- RE: SSL Bruce Platt (Oct 20)
- RE: SSL Paul D. Robertson (Oct 20)