[fw-wiz] HTTPS, proxies, and remote developers.

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 06/13/03

  • Next message: Gregory Austin: "Re: [fw-wiz] VA vs PT tool"
    To: Firewall-Wizards <firewall-wizards@honor.icsalabs.com>
    Date: Sat, 14 Jun 2003 01:31:03 +0530

    I recently setup a mailserver for a software development company. The
    server has a web interface through usermin for password changing and
    handling GPG keys, running on a high port.
    This company has software developers located at their client locations,
    in different countries.
    The clients have proxies that block access to https, nor will they
    permit ssh/VPNs from their network to the development company by the
    offsite employees.
    The company has asked about the option of moving this to HTTP, but I have
    advised against it (given that GPG keys *may* be exposed on the
    Internet). If the company insists, I will move them to HTTP, with a
    written warning of the risk they are accepting.

    I do not like the idea of unencrypted communication flowing over the
    Internet for sensitive information. The company IT manager agrees with
    me. The remote client does not like the idea.
    What would be the easiest way to handle this situation? How would you
    resolve a policy issue if one of your clients requires that you use
    unencrypted traffic outbound from their network into yours.
    (Their need to know for traffic on their network against your need for

    Devdas Bhagat
    firewall-wizards mailing list

  • Next message: Gregory Austin: "Re: [fw-wiz] VA vs PT tool"