Re: [fw-wiz] Firewall best practices



Sorry - read the paper. It boils down to included "already trusted CA's" on the browser and a complicit CA cooperating with a nefarious entity to issue another cert for a targeted domain.

The hardware device the paper refers to can have this cert installed and proceed to impersonate the targeted domain thus decrypting all traffic destined for that destination.

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Cian Brennan
Sent: Wednesday, April 28, 2010 4:14 AM
To: Firewall Wizards Security Mailing List
Cc: mjr@xxxxxxxxx; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

On Tue, Apr 27, 2010 at 11:12:40AM -0500, Fetch, Brandon wrote:
Too late:
http://files.cloudprivacy.net/ssl-mitm.pdf

And these devices are already in deployment...now, imagine one of these with a wildcard certificate running at a coffee house, or at the aggregation point within a provider's CO POP...

Where it would generate cert errors for every user?

These only make sense where you can install the proxy's wildcard cert on all of
the client machines. Neither coffee houes, nor ISPs can do this.

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of John Morrison
Sent: Tuesday, April 27, 2010 5:45 AM
To: Firewall Wizards Security Mailing List
Cc: mjr@xxxxxxxxx; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Firewall best practices

My understanding of https (and other PKI-based encryption) is that
only the holder of the private key can decrypt the data encrypted with
the other (public) key in the pair. My view is that the firewall can
only decrypt and inspect https traffic if it is acting as the server
to the external client. It can't intercept and decrypt https traffic
destined for another device - the real server. If it did https would
be worthless. Any hacker could buy such a firewall to sniff and
decrypt all https traffic.

On 23 April 2010 20:18, <david@xxxxxxx> wrote:
On Fri, 23 Apr 2010, Martin Barry wrote:

$quoted_author = "Marcus J. Ranum" ;

That's why firewalls need to go back to doing what they
originally did, and parsing/analyzying the traffic that
flows through them, rather than "stateful packet
inspection" (which, as far as I can tell, means that
there's a state-table entry saying "I saw SYN!")

Marcus, are you referring to DPI or proxies or both or something else
entirely?


If the firewall doesn't understand the data it's passing,
it's not a firewall, it's a hub.

If an application emulates HTTPS traffic and is proxy aware, how do you
tell
the difference?

There are firewalls on the market that can decrypt HTTPS traffic (and I
believe be configured to block any traffic that they can't decrypt)

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


--

--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Taking Ownership didnt help
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >>Have you done a comparison of the thumbprint of the cert ... >>> successfully used it in the past to decrypt files. ...
    (microsoft.public.win2000.security)
  • Re: Taking Ownership didnt help
    ... The cert I referred to had my private key in it. ... successfully used it in the past to decrypt files. ... the Security tab that would let me do that is ...
    (microsoft.public.win2000.security)
  • Re: Taking Ownership didnt help
    ... Have you done a comparison of the thumbprint of the cert used to encrypt the ... > successfully used it in the past to decrypt files. ... the Security tab that would let me do that is ...
    (microsoft.public.win2000.security)
  • Re: Creating a recovery agent on local computer
    ... If you want the DRA to be able to decrypt without having to ... import the cert then log in with the DRA account and add the ... > I'm trying to create a recovery agent on my XP laptop. ...
    (microsoft.public.security)
  • Re: cant decrypt files
    ... key from the domain policy and after that all the file is able to ... But in term of the expiration of the key that will be still a question ... check the validity of the cert. ...
    (microsoft.public.windows.server.active_directory)