Firewall Wizards mailing list archives
RE: Security of HTTPS
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 6 Dec 2004 09:09:25 +0100
Hi Kevin,
-----Original Message----- On Tue, 23 Nov 2004 09:24:45 +0100, Ben Nagy <ben () iagu net> wrote: . . .or total mis-use of the protocol to ignore server authentication (nobody does that although it is supported in theory).Are you referring to checking for a trusted signature on the certificate presented by the server, or some other server authentication?
No, I was talking about the ANON_DH_* cipher suites, but trying to simplify. Sorry. :( [...]
Getting back on the topic of firewalls, I wonder if it would be possible for a firewall not doing MITM for SSL to validate the certificate presented by the remote server, and terminate the attempted SSL session if the certificate does not match the remote host, is not signed by an acceptable CA or has been revoked?
So...we use the firewall to attempt to do "better" certificate validation than the client. Sure it's possible, I'm just wondering if it's wise. As you say, it offers to provide some extra protection with low overhead, but there is strong potential for the usability to suck. Actually, _I_ was wondering if it's possible to change IE's behaviour to "deny without asking" instead of popping up the certificate warning dialog, perhaps via group policy, but a rapid googling didn't turn up anything... Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Security of HTTPS Ben Nagy (Dec 02)
- <Possible follow-ups>
- RE: Security of HTTPS Dave Piscitello (Dec 02)
- Re: Security of HTTPS Kevin (Dec 05)
- RE: Security of HTTPS Ben Nagy (Dec 07)
- Re: Security of HTTPS David Lang (Dec 26)