Firewall Wizards mailing list archives
RE: Security of HTTPS
From: <lordchariot () earthlink net>
Date: Tue, 23 Nov 2004 11:00:07 -0500
I wouldn't necessarily call it a MITM attack, but there are some products out there that intentionally decrypt an SSL connection. These type of products will take an SSL certificate as presented from the web site, and re-create a new one on-the-fly to present to the client browser. If the product's CA cert is loaded into the client, there aren't any certificate warnings. If not, then most people click through the cert warning anyway because they don't know any better. These products are generally used to perform AV scans or Ad-Popup blocking through an SSL connection. For example, an attachement coming in through an SSL webmail connection that needs to be virus scanned at the gateway. Erik -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Alex Bihlmaier Sent: Friday, November 19, 2004 6:07 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Security of HTTPS Good Morning. I am curious how strong the security of https can be. Is there some possibility of a MITM attack? Are there any papers out there outlining this aspect of security? //thalunil ---------------------------------------------------------------- kallisti.de webmail access - email on the road _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security of HTTPS Alex Bihlmaier (Nov 22)
- RE: Security of HTTPS Ben Nagy (Nov 23)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS Alex Bihlmaier (Nov 27)
- Re: Security of HTTPS Chuck Vose (Nov 27)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS lordchariot (Nov 27)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- RE: Security of HTTPS Ben Nagy (Nov 23)
- Re: Security of HTTPS Kevin Sheldrake (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- <Possible follow-ups>
- RE: Security of HTTPS Jean-Denis Gorin (Nov 23)
- RE: Security of HTTPS Servie Platon (Nov 27)