WebApp Sec mailing list archives
RE: Security tool for monitoring HTTPS traffic?
From: "WebAppSecurity [Technicalinfo.net]" <webappsec () technicalinfo net>
Date: Wed, 25 Feb 2004 19:32:58 -0000
Are they products they can look inside HTTPS traffic? Some customers doesn't trust HTTPS traffic going inside the company over the proxy! For example, I have heard that a combination of squid and apache configuraion can do these, but I have never seen it.
The answer depends upon at which point you need to observe the HTTPS traffic. At the client-side, a personal proxy such as Odysseus (http://www.wastelands.gen.nz/odysseus) can't be beaten. Intermediary transparent proxies (including man-in-the-middle attack agents) won't work for HTTPS without causing alert issues about bad certificates at the client browser (but then again, many people don't bother about certificate warnings and carryon regardless). At the server-side, if a SSL accelerator is used as a separate device within the server environment - just sitting/logging all traffic between the accelerator and the server will be clear. On the web server itself (i.e. it does all the SSL encryption) you need to sit/observe the local traffic at the appropriate application layer (or just get the web server to log/dump all incoming/outgoing data). Cheers, Gunter http://www.technicalinfo.net/
Current thread:
- RE: Security tool for monitoring HTTP headers?, (continued)
- RE: Security tool for monitoring HTTP headers? Mark Curphey (Feb 24)
- RE: Security tool for monitoring HTTP headers? Glyn (Feb 24)
- RE: Security tool for monitoring HTTP headers? Internet User (Feb 24)
- Re: Security tool for monitoring HTTP headers? Grega Bremec (Feb 24)
- Re: Security tool for monitoring HTTP headers? lists AT dawes DOT za DOT net (Feb 24)
- Re: Security tool for monitoring HTTP headers? Keith W. McCammon (Feb 24)
- Re: Security tool for monitoring HTTP headers? Ivan Ristic (Feb 24)
- Re: Security tool for monitoring HTTP headers? znndrp (Feb 24)
- Re: Security tool for monitoring HTTP headers? Shade (Feb 24)
- Security tool for monitoring HTTPS traffic? Andreas Fredrich (Feb 24)
- RE: Security tool for monitoring HTTPS traffic? WebAppSecurity [Technicalinfo.net] (Feb 26)
- Re: Security tool for monitoring HTTPS traffic? Ivan Ristic (Feb 26)
- Re: Security tool for monitoring HTTP headers? Martin Tsachev (Feb 24)
- RE: Security tool for monitoring HTTP headers? sunzi (Feb 25)
- Message not available
- Re: Security tool for monitoring HTTPS traffic? Mike (Feb 26)
- Blocking/Screening any HTTP, HTTPS, FTP stream from intern to extern? Andreas Fredrich (Feb 26)
- Re: Security tool for monitoring HTTPS traffic? Mike (Feb 26)
- RE: Security tool for monitoring HTTP headers? Toni Heinonen (Feb 24)
- RE: Security tool for monitoring HTTP headers? Booth, Simon (Feb 25)