Re: [fw-wiz] Security of HTTPS
From: Ng Pheng Siong (ngps_at_netmemetic.com)
Date: 11/28/04
- Previous message: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- In reply to: Kevin Sheldrake: "Re: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Kevin Sheldrake <kev@electriccat.co.uk> Date: Mon, 29 Nov 2004 00:33:15 +0800
On Sun, Nov 28, 2004 at 03:38:09PM -0000, Kevin Sheldrake wrote:
> I expect others do too, to enable content filtering at an organisational
> boundary, re-encrypting with their own certificate upon success. If their
> own certificate has been signed by a trusted party (CA) then the user will
> be practically unaware of the decryption.
Nit: Not "re-encrypting with their own certificate". More properly, proxy
the HTTPS traffic, where the in-house part is between the browser and the
proxy. The proxy generates a certificate for the real server dynamically,
signs it with the in-house CA, and presents this certificate to the client
as the server's certificate. If the in-house CA certificate has been signed
by a trusted CA then the browser will accept this proxy certificate as the
server's certificate.
Be prepared to buy hardware SSL accelerators for the proxy.
Cheers.
-- Ng Pheng Siong <ngps@netmemetic.com> http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Ng Pheng Siong: "Re: [fw-wiz] Security of HTTPS"
- In reply to: Kevin Sheldrake: "Re: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
