Security Basics mailing list archives
RE: Preventing tunnels through HTTPS proxies
From: "Erik Soosalu" <eriks () nationalfastfreight com>
Date: Thu, 18 Jun 2009 13:38:27 -0400
-----Original Message----- From: Morgan Reed [mailto:morgan.s.reed () gmail com] Sent: Wednesday, June 17, 2009 11:03 PM To: Erik Soosalu Cc: Mariusz Kruk; security-basics () securityfocus com Subject: Re: Preventing tunnels through HTTPS proxies On Thu, Jun 18, 2009 at 04:27, Erik Soosalu<eriks () nationalfastfreight com> wrote:Read his paragraph again - he talks about re-encrypting the traffic with a Private CA. In a MS environment, this would be easy to push out the private cert via GPO.The problem with this is that you've just eliminated the Authentication aspect of an SSL connection, as you are effectively MITMing the connection using your cert which will be trusted by all clients if the client were to visit a site using an invalid SSL cert they will NOT see the SSL certificate warnings they would otherwise see. Although I suppose you could validate the SSL certs server-side and only pass connections to servers with a cert signed by a CA you trust, but then an invalid SSL cert is not always a problem and you may be blocking access to sites which are legitimate but have an invalid cert for one reason or another.
That's what the appliance we use does - validate every certificate en route. It does this as well without the inside SSL inspection as well if you want. We hit maybe one or two certs per month we have to do a manual allow. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Preventing tunnels through HTTPS proxies Michal Ludvig (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Morgan Reed (Jun 18)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 18)
- RE: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 19)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
- RE: Preventing tunnels through HTTPS proxies Ken Kousky (Jun 18)
- Message not available
- Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 18)