RE: Security tool for monitoring HTTPS traffic?

["WebAppSecurity [Technicalinfo.net]" <webappsec () technicalinfo net>]

> Are they products they can look inside HTTPS traffic? Some 
> customers doesn't trust HTTPS traffic going inside the 
> company over the proxy! For example, I have heard that a 
> combination of squid and apache configuraion can do these, 
> but I have never seen it.

The answer depends upon at which point you need to observe the HTTPS
traffic.  At the client-side, a personal proxy such as Odysseus
(http://www.wastelands.gen.nz/odysseus) can't be beaten.  Intermediary
transparent proxies (including man-in-the-middle attack agents) won't work
for HTTPS without causing alert issues about bad certificates at the client
browser (but then again, many people don't bother about certificate warnings
and carryon regardless).

At the server-side, if a SSL accelerator is used as a separate device within
the server environment - just sitting/logging all traffic between the
accelerator and the server will be clear.  On the web server itself (i.e. it
does all the SSL encryption) you need to sit/observe the local traffic at
the appropriate application layer (or just get the web server to log/dump
all incoming/outgoing data).

Cheers,

Gunter

http://www.technicalinfo.net/