Firewall Wizards mailing list archives
Re: The Outgoing Traffic Problem
From: <lordchariot () earthlink net>
Date: Mon, 17 Jul 2006 16:19:11 -0400
Mike Barkett wrote:
It also requires the man-in-the-middle to proxy the public keys of every SSL site visited. S-L-O-W!!!! Nevertheless, I'm sure many people will voraciously pummel this problem with this cotton hammer for a few years, to no avail.
There are a number of commercial man-in-the-middle solutions available, but I contest that it's not as slow as you may think. Although it does put some extra load on a proxy server, the impact occurs when you re-generate the site's cert to present to the client. Once past that part, the session encryption is is of lesser significant load. Then of course, there are SSL accelerators to offload much of that anyway. Decrypting SSL in this manner is a start. At least it can filter out all the non-HTTP traffic that is getting tunneled through a blind 443/tcp (i.e. skype or p2p traffic). It's when these tunneled protocols start behaving like real http inside that it becomes more difficult to distinguish malicious traffic.
On some level, I wonder why nobody ever uses the client authentication features of SSL that have been around forever. I mean, I know WHY, but now we are paying for it. IMO, if every client had to use 2+ factor authentication to visit any SSL site, via client SSL proxy, it would at least reduce this problem to a level of manageability consistent with today's worms. Again, slow, but maybe the only easy stopgap until The Ranum-Robertson Corporation opens its doors for business.
Sigh. ANY authentication would be better than none at all. At least it can add some accountability. 2-factor is not totally unreasonable, but until there are some landmark legal cases with some real penalties, no one will deploy to that scale...yet. -erik _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The Outgoing Traffic Problem Mike Barkett (Jul 17)
- Re: The Outgoing Traffic Problem lordchariot (Jul 17)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 18)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 18)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 18)
- Re: The Outgoing Traffic Problem ArkanoiD (Jul 20)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 19)
- Re: The Outgoing Traffic Problem Devdas Bhagat (Jul 19)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 19)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 18)
- Re: The Outgoing Traffic Problem lordchariot (Jul 17)
- <Possible follow-ups>
- Re: The Outgoing Traffic Problem vern (Jul 18)
- Re: The Outgoing Traffic Problem Fetch, Brandon (Jul 27)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 27)