RE: SSL - Man-in-the-Middle filtering

["Marian Ion" <marian.ion () e-licitatie ro>]

First of all, sorry for the large reply;

Secondly, in Romania, where I live, Art. 4 from Law 506/2004, regarding the
processing of personal data and the protection of private life in
telecommunication, specifies the following:

Article 4
Confidentiality of the communications 

(1) The confidentiality of communications and the related traffic data by
means of public electronic communications networks and publicly available
electronic communications services is guaranteed. 

(2) Listening, tapping, storage or other kinds of interception or
surveillance of communications and the related traffic data are prohibited,
except for the following cases:
     a) these operations are carried out by the users who participate in
that communication;
     b) the users who participate in that communication have previously
given their written consent;
     c) these operations are carried out by the competent authorities, under
the conditions set out by the legal provisions in force.

(3) The provisions of paragraphs (1) and (2) shall not prevent technical
storage which is necessary for the conveyance of a communication without
prejudice to the principle of confidentiality. 

(4) The provisions of paragraphs (1) and (2) shall not affect any legally
authorised recording of communications and the related traffic data when
carried out in the course of lawful business practice for the purpose of
providing evidence of a commercial transaction or of a business
communication. 

(5) The use of an electronic communications network to store information or
to gain access to information stored in the terminal equipment of a
subscriber or user is only allowed on condition that: 
     a) the subscriber or user concerned was provided with clear and
comprehensive information in accordance with Art. 12 of Law no. 677/2001,
inter alia about the purposes of the storage or access to information
stored; and
     b) the subscriber or user concerned was offered the possibility to
refuse such storage or access to information stored.

(6) The provisions of paragraph (5) shall not prevent the technical storage
or access in the following cases:
     a) when these operations are performed for the sole purpose of carrying
out or facilitating the transmission of a communication over an electronic
communications network;
     b) when these operations are strictly necessary for the provision of an
information society service explicitly requested by the subscriber or user.


For the full text:
(http://www.legi-internet.ro/index.php/Romania_Law_no_506_2004_on/81/0/?&L=2
)

So in my opinion (and I'm not a jurist), interfering in an encrypted
communication implies "interception or surveillance of communications and
the related traffic data", as well as "technically" listening to that
communication, much more than a firewall or IDS do.

In addition, ... can you imagine a business based on trust and
confidentiality, provided through an enterprise (or provider) IPS that
intercepts and modifies all encrypted traffic?


marian




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Craig Wright
Sent: 11 December 2007 19:21
To: Marian Ion; focus-ids () securityfocus com
Subject: RE: SSL - Man-in-the-Middle filtering

What law?
 
Enterprise deployments own the data. This is not allowed in a US Federal
University environment due to specific requirements against monitoring, but
WHAT law?
 
Regards,
Dr Craig Wright (GSE-Compliance)



Craig Wright
Manager of Information Systems

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you
are not the named addressee you must not read, print, copy, distribute, or
use in any way this transmission or any information it contains.  If you
have received this message in error, please notify the sender by return
email, destroy all copies and delete it from your system. 

Any views expressed in this message are those of the individual sender and
not necessarily endorsed by BDO Kendalls.  You may not rely on this message
as advice unless subsequently confirmed by fax or letter signed by a Partner
or Director of BDO Kendalls.  It is your responsibility to scan this
communication and any files attached for computer viruses and other defects.
BDO Kendalls does not accept liability for any loss or damage however caused
which may result from this communication or any files attached.  A full
version of the BDO Kendalls disclaimer, and our Privacy statement, can be
found on the BDO Kendalls website at http://www.bdo.com.au or by emailing
administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

________________________________


From: listbounce () securityfocus com on behalf of Marian Ion
Sent: Tue 11/12/2007 5:06 PM
To: focus-ids () securityfocus com
Subject: RE: SSL - Man-in-the-Middle filtering




Isn't this an interference in an encrypted communication, penalized by the
law? And ... as a user, how can you trust the confidentiality this
communication when you found out about?

marian



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Ravi Chunduru
Sent: 08 December 2007 18:33
To: focus-ids () securityfocus com
Subject: SSL - Man-in-the-Middle filtering

it seems that some network IPS devices and application firewalls are
not only providing SSL based HTTP inspection on server side, but also
on client side (i know  of one IPS device which is in beta testing).
i understand that it is required as attacks can be sent in SSL to
avoid blocking.

when deployed on client side, these devices resign certificates (of
public servers) with local CA certificate. i see two aspects to it -
users need to trust local authority (enterprise administrators) and
second is users will have  false sense of security (that is users are
no longer see the actual CA of server certificate).

any comments on acceptance of this functionality in enterprise deployments?

is there any standard mechanism (in SSL standard or in HTTP standard)
to send actual CA certificate to the browser by forward proxies?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------