Re: [fw-wiz] The Outgoing Traffic Problem

Mike Barkett wrote:
It also requires the man-in-the-middle to proxy the public
keys of every SSL
site visited. S-L-O-W!!!! Nevertheless, I'm sure many people will
voraciously pummel this problem with this cotton hammer for a
few years, to
no avail.

There are a number of commercial man-in-the-middle solutions available, but
I contest that it's not as slow as you may think. Although it does put some
extra load on a proxy server, the impact occurs when you re-generate the
site's cert to present to the client. Once past that part, the session
encryption is is of lesser significant load. Then of course, there are SSL
accelerators to offload much of that anyway.

Decrypting SSL in this manner is a start. At least it can filter out all the
non-HTTP traffic that is getting tunneled through a blind 443/tcp (i.e.
skype or p2p traffic). It's when these tunneled protocols start behaving
like real http inside that it becomes more difficult to distinguish
malicious traffic.

On some level, I wonder why nobody ever uses the client authentication
features of SSL that have been around forever. I mean, I
know WHY, but now
we are paying for it. IMO, if every client had to use 2+ factor
authentication to visit any SSL site, via client SSL proxy,
it would at
least reduce this problem to a level of manageability consistent with
today's worms. Again, slow, but maybe the only easy stopgap until The
Ranum-Robertson Corporation opens its doors for business.

Sigh. ANY authentication would be better than none at all. At least it can
add some accountability. 2-factor is not totally unreasonable, but until
there are some landmark legal cases with some real penalties, no one will
deploy to that scale...yet.


firewall-wizards mailing list

Relevant Pages

  • Re: a refresher
    ... pages available to whoever you want to by controlling the authentication ... methods and using ntfs permissions.If you are talking about web enrollment, ... public key unencrypted to start the SSL process. ... session keys agreed upon by the client computer to start the session. ...
  • Re: clients editing information w/o authentication--advice needed
    ... I completely concur that username/password authentication is the way to go. ... SSL, while the most secure, is not essential since there's no confidential ... I will "push back" with the client and tell them they'd be better off ...
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
  • Re: IIS6.0 + SSL Breaks down!
    ... Ok, I asked the IIS SSL developer, and he gave me the details. ... bad public specification on SSL make SSL Client Certificates ...
  • Re: always dual entries in IIS Log with first being HTTP 401.2 error
    ... If I disable client authentication, ... >> well as SSL connection. ...