Penetration Testing mailing list archives
Re: HTTPS proxy tool that resigns SSL certs
From: "Nathan Keltner" <shiftnato () gmail com>
Date: Tue, 6 Jun 2006 15:20:32 -0500
On 6/6/06, Steve Abatangle <stevea () eloan com> wrote:
Bluecoat makes a product that does this very thing -- they claim it's the only proxy server (commercial, anyway) that does this. The browser *will* be alerted, but you can either alert the user community to accept the CA cert, or just install the CA cert into the browsers on all workstations.
Regarding alerting the user community, I spoke with someone a while ago who had been working with a government agency and had seen some unintended side effects of this approach. Apparently, the government (or at least this agency) decided they didn't want to pay to have "authoritative" certs made and didn't go through the hassle of defining an authoritative server for users on their LANs. As a result, all of their certs popped up the warning banner for the client, and they dutifully trained all of their users to just "click through" without reading the message any time it popped up. Needless to say, there are dangers in having an entire staff of computer users who routinely click through those warning messages, so keep that in mind. User behavior like that is already a problem; carefully consider whether this would teach bad behavior, and whether that's worth it. Regards, Nathan Keltner ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 01)
- <Possible follow-ups>
- Re: HTTPS proxy tool that resigns SSL certs Robert BARABAS (Jun 01)
- Re: HTTPS proxy tool that resigns SSL certs Tobias Glemser (Jun 01)
- Re: HTTPS proxy tool that resigns SSL certs Huzeyfe Onal (Jun 02)
- Re: HTTPS proxy tool that resigns SSL certs Phil Frederick (Jun 05)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 06)
- Re: HTTPS proxy tool that resigns SSL certs Phil Frederick (Jun 05)
- RE: HTTPS proxy tool that resigns SSL certs Steve Abatangle (Jun 06)
- Re: HTTPS proxy tool that resigns SSL certs Nathan Keltner (Jun 06)
- Re: Re: HTTPS proxy tool that resigns SSL certs one2 (Jun 06)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 07)
- RE: HTTPS proxy tool that resigns SSL certs Ritesh Rekhi (Jun 08)
- Re: HTTPS proxy tool that resigns SSL certs silentw (Jun 08)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 09)
- Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 07)