Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: John Adams (jna-dated-1031681827.333800@retina.net)
Date: 09/05/02


To: Balazs Scheidler <bazsi@balabit.hu>
From: John Adams <jna-dated-1031681827.333800@retina.net>
Date: Thu Sep  5 21:04:01 2002

On Thu, 5 Sep 2002, Balazs Scheidler wrote:

> And yes SSL means that you can peek into decrypted SSL streams. (url
> filtering in HTTPS, anyone?) You can limit CONNECT, or stack in a decrypting
> HTTPS proxy within the CONNECT method to avoid instant messengers to go
> through your firewall.

How do they implement this?

Consider this: I attempt to connect to a site via HTTPS, and the
certificate presented by your decrypting proxy doesn't match the expected
certificate of the site I'm connecting to. Therefore, I know that there's
a man-in-the-middle attempting to decrypt my session. This is exactly the
sort of action that SSL was designed to prevent.

Note also that there's many other ways to tunnel illegitimate traffic
inside of legtimate traffic; these sorts of L7 proxies only prevent people
who don't know what they're doing from establishing a connection to where
they want to go.

-john



Relevant Pages

  • Re: Reality Check: Session Hijacking
    ... You wrote you're *not* using SSL if the data is no longer too sensitive, ... But even without decrypting that value anyone who's ... > get name/pw from the session thereafter. ... > user leaves https and goes to http. ...
    (comp.lang.php)
  • Re: Expired cirtificate errors FireFox and IE (Vista 32 bit)
    ... Those would be https web sites (that use SSL to encrypt the connection) ... Have you yet rebooted Windows? ... Even if WU doesn't say you need to reboot after applying some updates, ...
    (microsoft.public.windows.vista.general)
  • Re: RWW with no https
    ... I do not consider a:8080 a url that is appropriate for a SSL end user connection. ... So just so we are all clear, RWW HAS to go over HTTPS. ... Even if I do https but port 8080 would not matter ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA 2006 and SSL
    ... same user can access the site in question by creating an SSL-Tunnel and is ... Microsoft Online Partner Support ... | Subject: RE: ISA 2006 and SSL ... | | rule to allow HTTPS to local host, instead of all http and https ...
    (microsoft.public.isa)
  • Re: Cannot Access Includes Above Current Directory if using SSL
    ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
    (php.general)