[fw-wiz] The Outgoing Traffic Problem --
- From: "Marcus J. Ranum" <mjr@xxxxxxxxx>
- Date: Tue, 11 Jul 2006 21:51:35 -0400
about recent hacks against the US State Department
contains and interesting nugget near the back:
"After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim's network.
Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on."
So, reading between the lines, it would appear that the bad guys were
using SSL egress as a conduit. Some of us (me, Paul, Fred..) were
predicting back in the mid-1990's that this would eventually be a problem.
So perhaps a bit of this message is "I told you so!" but it does raise an
interesting question. Once you've got a user base that is accustomed
be being able to send arbitrary encrypted streams out through your firewall,
what ARE you going to do when the bad guys start tunnelling in with your
In Marcus-land, it seems an act of insanity to allow
(anyone inside) -> (anyplace outside)
SSL connectivity. For exactly the reasons that State appears to be
in the process of discovering.
What are most organizations doing about this?? Do most security
managers have their heads still firmly in the sand on this topic?
I trust that everyone realizes that it's going to get worse, not better,
As far as I can see, the endgame is going to be one of two
- Organizations are going to try to add signature-style
controls to SSL transactions and are going to rely on "man
in the middle" style interception tricks and (call 'em what
you want) signatures to detect malicious traffic
- Organizations are going to have to positively identify
sites with which it is necessary/appropriate to do SSL
I don't see a lot of future in EITHER of those options. The first
one falls apart really fast if anyone ever fixes SSL's certificate
trust model (not highly likely) but since it's signature-based
it'll fail when the hackers add superencryption to their command
streams. The second option would have worked if it had been
approached 10 years ago but ironically there's finally enough
SSL being used that it's probably too late. And reining it in
would be bad, anyhow. So what happens? Is the long term
prognosis as bad as I think it is? I'm just afraid that the
hackers, malcode-writers, and botnetters of the world are going
to have an impact on the entire Internet that is comparable to
the impact that the spammers have had on Email systems:
namely, they have degraded the value and raised the costs
of the system to the point where it's worth 1/100th of what it
should be. As many of you have noticed, this boils my
Someone, please - tell me I am wrong and that somehow
it'll get fixed soon.
firewall-wizards mailing list
- Prev by Date: Re: [fw-wiz] 4+ port firewall recommendation, VPN & VoIP capable. ..
- Next by Date: Re: [fw-wiz] The Outgoing Traffic Problem --
- Previous by thread: Re: [fw-wiz] 4+ port firewall recommendation, VPN & VoIP capable. ..
- Next by thread: Re: [fw-wiz] The Outgoing Traffic Problem --