Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preventing tunnels through HTTPS proxies

From: Morgan Reed <morgan.s.reed () gmail com>
Date: Thu, 18 Jun 2009 13:02:59 +1000
On Thu, Jun 18, 2009 at 04:27, Erik
Soosalu<eriks () nationalfastfreight com> wrote:

Read his paragraph again - he talks about re-encrypting the traffic with
a Private CA.  In a MS environment, this would be easy to push out the
private cert via GPO.


The problem with this is that you've just eliminated the
Authentication aspect of an SSL connection, as you are effectively
MITMing the connection using your cert which will be trusted by all
clients if the client were to visit a site using an invalid SSL cert
they will NOT see the SSL certificate warnings they would otherwise
see.

Although I suppose you could validate the SSL certs server-side and
only pass connections to servers with a cert signed by a CA you trust,
but then an invalid SSL cert is not always a problem and you may be
blocking access to sites which are legitimate but have an invalid cert
for one reason or another.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: