Re: The Outgoing Traffic Problem

[<lordchariot () earthlink net>]

Mike Barkett wrote:
> It also requires the man-in-the-middle to proxy the public 
> keys of every SSL
> site visited.  S-L-O-W!!!!  Nevertheless, I'm sure many people will
> voraciously pummel this problem with this cotton hammer for a 
> few years, to
> no avail.

There are a number of commercial man-in-the-middle solutions available, but
I contest that it's not as slow as you may think. Although it does put some
extra load on a proxy server, the impact occurs when you re-generate the
site's cert to present to the client. Once past that part, the session
encryption is is of lesser significant load. Then of course, there are SSL
accelerators to offload much of that anyway.

Decrypting SSL in this manner is a start. At least it can filter out all the
non-HTTP traffic that is getting tunneled through a blind 443/tcp (i.e.
skype or p2p traffic). It's when these tunneled protocols start behaving
like real http inside that it becomes more difficult to distinguish
malicious traffic.

> On some level, I wonder why nobody ever uses the client authentication
> features of SSL that have been around forever.  I mean, I 
> know WHY, but now
> we are paying for it.  IMO, if every client had to use 2+ factor
> authentication to visit any SSL site, via client SSL proxy, 
> it would at
> least reduce this problem to a level of manageability consistent with
> today's worms.  Again, slow, but maybe the only easy stopgap until The
> Ranum-Robertson Corporation opens its doors for business.

Sigh. ANY authentication would be better than none at all. At least it can
add some accountability. 2-factor is not totally unreasonable, but until
there are some landmark legal cases with some real penalties, no one will
deploy to that scale...yet.


-erik



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards