Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: John Adams (
Date: 09/05/02

To: Balazs Scheidler <>
From: John Adams <>
Date: Thu Sep  5 21:04:01 2002

On Thu, 5 Sep 2002, Balazs Scheidler wrote:

> And yes SSL means that you can peek into decrypted SSL streams. (url
> filtering in HTTPS, anyone?) You can limit CONNECT, or stack in a decrypting
> HTTPS proxy within the CONNECT method to avoid instant messengers to go
> through your firewall.

How do they implement this?

Consider this: I attempt to connect to a site via HTTPS, and the
certificate presented by your decrypting proxy doesn't match the expected
certificate of the site I'm connecting to. Therefore, I know that there's
a man-in-the-middle attempting to decrypt my session. This is exactly the
sort of action that SSL was designed to prevent.

Note also that there's many other ways to tunnel illegitimate traffic
inside of legtimate traffic; these sorts of L7 proxies only prevent people
who don't know what they're doing from establishing a connection to where
they want to go.