Re: [fw-wiz] Security of HTTPS

From: Frank Knobbe (
Date: 11/28/04

  • Next message: Mark Teicher: "Re: [fw-wiz] smtp proxy on firewall"
    To: Ng Pheng Siong <>
    Date: Sun, 28 Nov 2004 11:17:47 -0600

    On Sun, 2004-11-28 at 11:06, Ng Pheng Siong wrote:
    > Is the Michael Warfields discussion entitled "SSL and IPS" and dated about
    > 24 Jun 2004? I just skimmed that one very quickly: it seemed to be talking
    > about an IDS watching traffic over the wire, not a proxy doing MITM
    > actively and generating "pretend" certs on the fly.

    That's the one. And it came to mind when Erik said "I wouldn't
    necessarily call it a MITM attack, but there are some products
    out there that intentionally decrypt an SSL connection.", but then went
    on to describe a MITM attack. My comment was that there are products
    that don't present their own certificate (as in MITM), but instead
    decrypt the SSL session on the fly (which of course requires the keys of
    the server). The clients keys don't matter as the public key is
    exchanged and the private key is not required.

    > > I still think people put too much stock in SSL VPNs.
    > SSL VPNs give you security without compromising convenience! Woo-hoo!

    Heh... SSH VPNs give you convenience without compromising security! ;)



    firewall-wizards mailing list

  • Next message: Mark Teicher: "Re: [fw-wiz] smtp proxy on firewall"

    Relevant Pages

    • Re: [Full-Disclosure] SSL Filtering
      ... The one method I'm familiar with for how to accomplish this with SSL ... SSL MITM box resigns the keys, and as long as the key is trusted by the ...
    • Re: ssh security
      ... Of course exists the man-in-the middle by suplanting primarily keys, ... But if anyone is trying to MITM you, client alerts you that keys don't ... match to primarily ssh handshaking keys and possibly someone is MITM you. ...
    • MITM on 3TDES and why is the effective key lenght 112 bits
      ... Can anyone explain how the MITM works on 3TDES (three distinct keys)? ... key-length of 112-bit ... Saqib Ali ...
    • RE: Session Hijacking
      ... > site C using SSL if site C supports SSL and user B ... > SSL server of site C -- in this case the MITM attack ... The MITM is still ITM by virtue of the DNS hijacking. ... Attacker A is able ...
    • Re: Some URLs about SSL
      ... beginning of 2010 there arose questions of security of SSL and cites ... "How is SSL hopelessly broken?" ... the TLS scheme itself but where the certs come from. ... Given that analysed session transcripts are about as rare as hen's teeth that's maybe not too surprising - but this type of MITM will leave traces, and they could and would be caught. ...