Firewall Wizards mailing list archives
Re: Security of HTTPS
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Sun, 28 Nov 2004 15:38:09 -0000
I'm not Erik (as you probably realised) but I believe the following can be configured to do this:
* Checkpoint FW-1 NG * Microsoft ISA Server(I could be wrong; these examples relate to other people's infrastructure and their description of it to me.)
I expect others do too, to enable content filtering at an organisational boundary, re-encrypting with their own certificate upon success. If their own certificate has been signed by a trusted party (CA) then the user will be practically unaware of the decryption. One organisation IS Manager pointed out to me that the firewall/server doesn't have to re-encrypt the stream, allowing it to present the 'SSL' pages to the user over HTTP. He configured his firewall/server to re-encrypt so as not to alarm the user (lack of padlock in the browser)!
Without sounding cynical, I think these are excellent examples of SSL MITM attacks, perpetrated by managers of 'third party' infrastructure, usually without user awareness. The idea that SSL would provide end-to-end encryption is laughable when this example is considered.
As I hinted above, I expect most enterprise firewalls offer this functionality. My mention of the above products is by no way an endorsement; they just happen to be two I have been informed of.
Kev
there are some products out there that intentionally decrypt an SSL connection.Erik,Can you give a list of those products? I'm only familiar with Finjan's Vital security for SSL.Shimon Silberschlag +972-3-9351572 +972-50-7207130 ----- Original Message ----- From: <lordchariot () earthlink net> To: <firewall-wizards () honor icsalabs com> Sent: Tuesday, November 23, 2004 18:00 Subject: RE: [fw-wiz] Security of HTTPSI wouldn't necessarily call it a MITM attack, but there are some productsout there that intentionally decrypt an SSL connection. These type ofproducts will take an SSL certificate as presented from the web site, andre-create a new one on-the-fly to present to the client browser. If theproduct's CA cert is loaded into the client, there aren't any certificatewarnings. If not, then most people click through the cert warning anyway because they don't know any better.These products are generally used to perform AV scans or Ad-Popup blocking through an SSL connection. For example, an attachement coming in through anSSL webmail connection that needs to be virus scanned at the gateway. Erik -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Alex Bihlmaier Sent: Friday, November 19, 2004 6:07 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Security of HTTPS Good Morning. I am curious how strong the security of https can be. Is there some possibility of a MITM attack? Are there any papers out there outlining this aspect of security? //thalunil ---------------------------------------------------------------- kallisti.de webmail access - email on the road _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Security of HTTPS, (continued)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS Alex Bihlmaier (Nov 27)
- Re: Security of HTTPS Chuck Vose (Nov 27)
- RE: Security of HTTPS Marcus J. Ranum (Nov 27)
- RE: Security of HTTPS lordchariot (Nov 27)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- Re: Security of HTTPS Frank Knobbe (Nov 28)
- RE: Security of HTTPS Frank Knobbe (Nov 27)
- Re: Security of HTTPS Kevin Sheldrake (Nov 28)
- Re: Security of HTTPS Ng Pheng Siong (Nov 28)
- RE: Security of HTTPS Servie Platon (Nov 27)
- RE: Security of HTTPS Paul D. Robertson (Nov 27)
- Re: Security of HTTPS Kevin Sheldrake (Nov 27)