Re: The Outgoing Traffic Problem --

[Carson Gaspar <carson () taltos org>]

--On Tuesday, July 11, 2006 9:51 PM -0400 "Marcus J. Ranum" <mjr () ranum com> 
wrote:

> As far as I can see, the endgame is going to be one of two
> things.
> - Organizations are going to try to add signature-style
> controls to SSL transactions and are going to rely on "man
> in the middle" style interception tricks and (call 'em what
> you want) signatures to detect malicious traffic
> - Organizations are going to have to positively identify
> sites with which it is necessary/appropriate to do SSL
> transactions

I really wish I'd gone & patented my "benevolent dictator MITM attack" back 
in '96, but I was/am too damned lazy... I haven't looked at the current 
crop of commercial MITM SSL proxies, but one simple method of weeding out 
some naughty connections is for the proxy to enforce server cert validity 
(with the inevitable exception list for crap sites that we nonetheless must 
do business with). I suspect this would stop a large percentage of HTTPS 
phone-home schemes, unless they're using hijacked sites' legitimate certs.

Of course that's just another finger in one of many holes in the dike. 
Personally, I'd love to deploy a dual client environment using some syscall 
ACL tech. Normal apps have full (well, normal user) local privs, but may 
only go to whitelisted sites off net. To access random cruft, a user must 
use a sandboxed app that is allowed to do very little indeed. I _think_ 
this would be a decent tradeoff that would allow crap 3rd party apps to 
work, and allow users to visit their favorite malware-infected sites 
without sideswiping the rest of the company on the way. Of course, 
enforcing that only the sandboxed app can get at the default-permit proxy 
is an interesting technical and political problem...

-- 
Carson
 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards