Re: [fw-wiz] Firewall best practices



John Morrison wrote:
My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.

Not entirely true. Way back when (1995/96) when I was hacking on firewall proxies I postulated a benevolent dictator MITM proxy for HTTPS (or other SSL services). This requires that you have your own signing CA and install its key as trusted in your users' browsers (or other software). The proxy can then impersonate the server and examine the traffic.

Since then, several implementations of such a beast have been created, some of which are open source.

--
Carson
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Firewall best practices
    ... But in the scenario discussed here, the holder of the private key uses that key for SSL/TLS connections terminated at his firewall, i.e., between a customer's client browser and the https server operating on the firewall. ... The latter are used for transaction monitoring/performance analysis and I understand that they can be programmed to partially decrypt traffic. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall best practices
    ... only the holder of the private key can decrypt the data encrypted with ... My view is that the firewall can ... only decrypt and inspect https traffic if it is acting as the server ... signed by the firewall's certificate authority. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall best practices
    ... only the holder of the private key can decrypt the data encrypted with ... My view is that the firewall can ... only decrypt and inspect https traffic if it is acting as the server ...
    (Firewall-Wizards)
  • Re: Confused by CryptoAPI
    ... ANYBODY would be able to decrypt it and recover ... random salt (encrypted by the session key) and get that signed. ... that case if the signature of the salt is OK you know that the server ... then the server sends the signature back to the client. ...
    (microsoft.public.platformsdk.security)
  • Re: Encrypted and Decrypted Conn String Programatically
    ... aspnet_regiis....something about copying the keys to the remote server. ... I have a question about encrypting connection strings in an asp.net 2.0 ... I need to programatically encrypt and decrypt the conn string because I ...
    (microsoft.public.dotnet.framework.aspnet)