Full Disclosure mailing list archives

Re: Possibly a stupid question RPC over HTTP

From: Kevin <KKadow () gmail com>
Date: Tue, 26 Oct 2004 23:34:15 -0500

On Tue, 26 Oct 2004 16:47:21 +0100, Airey, John <john.airey () rnib org uk> wrote:

Therefore my point still stands that if someone does possess a mathematical solution to the above, then all bets are 
off.
(Whoever it was who disagreed about my statements on encryption, please remember the context of the thread is about 
SSL security, not one-time keys).


Agreed.  Current SSL standards rely on public key encryption methods
which obtain their strength from the difficulty of the factoring
problem.

Getting back to the original question, you can't discover if someone is sending RPC over https unless you have a 
solution to the RSA hard problem above. Nor is it a major security issue if someone is using RPC over https either, 
unless there are flaws in the implementation of SSL or RPC that could be exploited by someone else.


Yes -- however, there are workarounds.
If you control one end point or the other, then you can take steps to
permit examination of the contents of SSL sessions.

Server:
If you control the server, you can of course load the keys into the
sniffer (risky, but not unheard of, see
http://www.radware.com/content/products/ct100/default.asp)) or 
terminate the SSL session on a device under your control. (For an
RPC-over-HTTP example, see this document:
http://www.msexchange.org/pages/article_p.asp?id=613)

Client:
If you control the client (say a corporate desktop PC), you have
another option -- you can modify the clients list of trusted CAs, and
force the client to establish the SSL session to your proxy server. 
This gives the proxy an opportunity to inspect/log/modify the
cleartext contents of the session.  The proxy establishes it's own SSL
session to the remote server normally neither the client or server
would be aware of the MITM.

A freeware implementation of this MITM approach was "Achilles", I have
also seen at least one commercial product offering this functionality
to permit content-scanning of outbound HTTPS browser traffic.

Kevin Kadow

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Possibly a stupid question RPC over HTTP, (continued)
- Re: Possibly a stupid question RPC over HTTP S G Masood (Oct 14)
- Re: Possibly a stupid question RPC over HTTP Roberto Gomez Bolaños (Oct 14)
- RE: Possibly a stupid question RPC over HTTP Burnes, James (Oct 14)
- RE: Possibly a stupid question RPC over HTTP Daniel Sichel (Oct 15)
- RE: Possibly a stupid question RPC over HTTP Airey, John (Oct 21)
  - Re: Possibly a stupid question RPC over HTTP Kyle Maxwell (Oct 21)
- RE: Possibly a stupid question RPC over HTTP Airey, John (Oct 22)
  - Re: Possibly a stupid question RPC over HTTP Andrew Farmer (Oct 22)
  - Re: Possibly a stupid question RPC over HTTP Kyle Maxwell (Oct 24)
- RE: Possibly a stupid question RPC over HTTP Airey, John (Oct 26)
  - Re: Possibly a stupid question RPC over HTTP Kevin (Oct 26)