Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall best practices

From: Carson Gaspar <carson () taltos org>
Date: Tue, 27 Apr 2010 16:34:16 -0500
John Morrison wrote:

My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.
Not entirely true. Way back when (1995/96) when I was hacking on firewall proxies I postulated a benevolent dictator MITM proxy for HTTPS (or other SSL services). This requires that you have your own signing CA and install its key as trusted in your users' browsers (or other software). The proxy can then impersonate the server and examine the traffic.
Since then, several implementations of such a beast have been created, some of which are open source. 

--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: