Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability"

From: Zone Labs Product Security (Product-Security_at_zonelabs.com)
Date: 06/23/04

  • Next message: Boren, Rich (SSRT): "[security bulletin] SSRT4741 rev.0 DCE for HP Tru64 UNIX Potential RPC Buffer Overrun Attack" 
    Date: Tue, 22 Jun 2004 18:01:00 -0700
To: <bugtraq@securityfocus.com>

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ZoneAlarm Pro, Security Suite and Integrity products which employ
    Mobile Code Protection/ID Lock features do not inspect encrypted
    traffic. If mobile code is downloaded via a Secure Sockets Layer
    (SSL) session, it will not be inspected by these products. This is
    by design and mandated by the SSL Protocol specification.

    The intended purpose of SSL is to "provide privacy and reliability
    between two communicating applications [1]." Computer users have the
    expectation their SSL encrypted session will be encrypted end-to-end
    between the server and client application (in this case, the Web
    Browser).

    As stated in the SSL Protocol Version 3.0:

       For SSL to be able to provide a secure connection, both the client
       and server systems, keys, and applications must be secure [1].

    As such, Zone Labs products do not attempt to intercept, decrypt,
    proxy,
    or otherwise interfere with the SSL transaction. For our product --
    or
    any other application -- to behave otherwise would violate the intent
    and
    design of the SSL specification and could potentially expose and/or
    risk the confidentiality of the data transmitted in the SSL
    transaction.

    A clarification of this common program limitation will be made
    in the product help files and program interface.

    Zone Labs encourages anyone with concerns about the security of our
    products or services to contact us at security@zonelabs.com.

    [1] http://wp.netscape.com/eng/ssl3/draft302.txt

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBQNjWClDxXw2Is3mLEQJXvACg7qHHdJQ3O36pSypxv+BEnj8K1vEAoKc7
    WrvhXTtn75BZ3mu6XRzAWOqY
    =fXFJ
    -----END PGP SIGNATURE-----

  • Next message: Boren, Rich (SSRT): "[security bulletin] SSRT4741 rev.0 DCE for HP Tru64 UNIX Potential RPC Buffer Overrun Attack"

    Relevant Pages

    • Zone Labs response to "ZoneAlarm Pro Mobile Code Bypass Vulnerability"
      ... Security Suite and Integrity products which employ ... If mobile code is downloaded via a Secure Sockets Layer ... by design and mandated by the SSL Protocol specification. ...
      (Bugtraq)
    • Re: Ace Password Sniffer : How does it work ?
      ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
      (microsoft.public.security)
    • RE: Certificate prblems with exchange public folders
      ... c103b404 during accessing Public Folders in Exchange System Manager. ... SSL certificate server name is incorrect" with error code c103b404 stemmed ... Click to clear the Require secure channel check box. ... 8.Restart Exchange System Attendant Service and then restart ...
      (microsoft.public.windows.server.sbs)
    • Re: Setting up HTTPS w/subdomain on Apache2
      ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
      (Ubuntu)
    • Re: Setting up HTTPS w/subdomain on Apache2
      ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ...
      (Ubuntu)