Re: [fw-wiz] Security of HTTPS

From: Frank Knobbe (
Date: 11/28/04

  • Next message: Mark Teicher: "Re: [fw-wiz] smtp proxy on firewall"
    To: Ng Pheng Siong <>
    Date: Sun, 28 Nov 2004 11:17:47 -0600

    On Sun, 2004-11-28 at 11:06, Ng Pheng Siong wrote:
    > Is the Michael Warfields discussion entitled "SSL and IPS" and dated about
    > 24 Jun 2004? I just skimmed that one very quickly: it seemed to be talking
    > about an IDS watching traffic over the wire, not a proxy doing MITM
    > actively and generating "pretend" certs on the fly.

    That's the one. And it came to mind when Erik said "I wouldn't
    necessarily call it a MITM attack, but there are some products
    out there that intentionally decrypt an SSL connection.", but then went
    on to describe a MITM attack. My comment was that there are products
    that don't present their own certificate (as in MITM), but instead
    decrypt the SSL session on the fly (which of course requires the keys of
    the server). The clients keys don't matter as the public key is
    exchanged and the private key is not required.

    > > I still think people put too much stock in SSL VPNs.
    > SSL VPNs give you security without compromising convenience! Woo-hoo!

    Heh... SSH VPNs give you convenience without compromising security! ;)



    firewall-wizards mailing list

  • Next message: Mark Teicher: "Re: [fw-wiz] smtp proxy on firewall"