Firewall Wizards mailing list archives
Re: Firewall best practices
From: Carson Gaspar <carson () taltos org>
Date: Tue, 27 Apr 2010 16:34:16 -0500
John Morrison wrote:
My understanding of https (and other PKI-based encryption) is that only the holder of the private key can decrypt the data encrypted with the other (public) key in the pair. My view is that the firewall can only decrypt and inspect https traffic if it is acting as the server to the external client. It can't intercept and decrypt https traffic destined for another device - the real server. If it did https would be worthless. Any hacker could buy such a firewall to sniff and decrypt all https traffic.
Not entirely true. Way back when (1995/96) when I was hacking on firewall proxies I postulated a benevolent dictator MITM proxy for HTTPS (or other SSL services). This requires that you have your own signing CA and install its key as trusted in your users' browsers (or other software). The proxy can then impersonate the server and examine the traffic.
Since then, several implementations of such a beast have been created, some of which are open source.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices, (continued)
- Re: Firewall best practices John Morrison (Apr 27)
- Re: Firewall best practices Harrell, Matthew (Apr 27)
- Re: Firewall best practices Marcus J. Ranum (Apr 27)
- Re: Firewall best practices Paul D. Robertson (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Andre Lima (Apr 30)
- Re: Firewall best practices Dave Piscitello (Apr 28)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices Nate Itkin (Apr 27)
- Re: Firewall best practices Dave Piscitello (Apr 27)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices Fetch, Brandon (Apr 27)
- Re: Firewall best practices lordchariot (Apr 28)
- Re: Firewall best practices Bruce B. Platt (Apr 30)
- Re: Firewall best practices Cian Brennan (Apr 28)
- Re: Firewall best practices Fetch, Brandon (Apr 28)
- Re: Firewall best practices Mathew Want (Apr 30)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Marcus J. Ranum (Apr 30)
- Re: Firewall best practices ArkanoiD (Apr 27)
- Re: Firewall best practices Dave Piscitello (Apr 22)