Re: [fw-wiz] Firewall best practices

John Morrison wrote:
My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.

Not entirely true. Way back when (1995/96) when I was hacking on firewall proxies I postulated a benevolent dictator MITM proxy for HTTPS (or other SSL services). This requires that you have your own signing CA and install its key as trusted in your users' browsers (or other software). The proxy can then impersonate the server and examine the traffic.

Since then, several implementations of such a beast have been created, some of which are open source.

firewall-wizards mailing list