RE: SSL - Man-in-the-Middle filtering


Isn't this an interference in an encrypted communication, penalized by the
law? And ... as a user, how can you trust the confidentiality this
communication when you found out about?

marian



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ravi Chunduru
Sent: 08 December 2007 18:33
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: SSL - Man-in-the-Middle filtering

it seems that some network IPS devices and application firewalls are
not only providing SSL based HTTP inspection on server side, but also
on client side (i know of one IPS device which is in beta testing).
i understand that it is required as attacks can be sent in SSL to
avoid blocking.

when deployed on client side, these devices resign certificates (of
public servers) with local CA certificate. i see two aspects to it -
users need to trust local authority (enterprise administrators) and
second is users will have false sense of security (that is users are
no longer see the actual CA of server certificate).

any comments on acceptance of this functionality in enterprise deployments?

is there any standard mechanism (in SSL standard or in HTTP standard)
to send actual CA certificate to the browser by forward proxies?

thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Attn: real cryptographers - how safe would you be?
    ... Conceal the fact that you're sending or receiving ciphertext. ... internet access can mount a man-in-the-middle attack against SSL, ... certificate chain looks healthy and culminates in a top-level ... certificate authority you trust. ...
    (sci.crypt)
  • Re: Cant get SSL to work locally
    ... SelfSSL just lowers the bar to enabling SSL on IIS (many people mistake ... needing Certificate Server or is just not possible "for free" with IIS). ... does not attempt to address the issue of trust. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cant get SSL to work locally
    ... It's a matter of trust, ... IIS works with any ... And even with a certificate that's not ... with certificates that can't be trusted is not that SSL wouldn't work. ...
    (microsoft.public.inetserver.iis.security)
  • Re: how can you verify that the site you get is not a fake?
    ... > Web Site Identity Verified ... a certificate authority you trust for this purpose. ... by using a main frame protected via HTTP/S and a valid SSL ...
    (Fedora)
  • Re: Proposal for a new PKI model (At least I hope its new)
    ... > Then the world would have no problem trusting your domain level PKI ... coined the term "certificate manufacturing" to distinquish from actual ... it turns out that one of the reasons for the SSL server domain name ...
    (sci.crypt)