Security Basics mailing list archives
RE: Preventing tunnels through HTTPS proxies
From: Mariusz Kruk <kruk () epsilon eu org>
Date: Fri, 19 Jun 2009 08:42:13 +0200
On Thu, 2009-06-18 at 13:38 -0400, Erik Soosalu wrote:
Read his paragraph again - he talks about re-encrypting the traffic with a Private CA. In a MS environment, this would be easy to push out the private cert via GPO.The problem with this is that you've just eliminated the Authentication aspect of an SSL connection, as you are effectively MITMing the connection using your cert which will be trusted by all clients if the client were to visit a site using an invalid SSL cert they will NOT see the SSL certificate warnings they would otherwise see. Although I suppose you could validate the SSL certs server-side and only pass connections to servers with a cert signed by a CA you trust, but then an invalid SSL cert is not always a problem and you may be blocking access to sites which are legitimate but have an invalid cert for one reason or another.That's what the appliance we use does - validate every certificate en route. It does this as well without the inside SSL inspection as well if you want. We hit maybe one or two certs per month we have to do a manual allow.
But it's not a solution. It's just a workaround. The problem, as I see it is not the SSL tunnel itself. It's the users connecting via unauthorised means. And we still can bypass the filters by, for example (I think someone already mentioned that) sending encrypted data as arguments of HTTP POST request via SSL connection. It'd get passed as legitimate HTTP traffic while being in fact a VPN connection. If such re-encrypting appliances become more commonly used, I'd bet we'll see more of such multi-layer techniques as I described above. -- d'`'`'`'`'`'`'`'`'`'`'`'`'Yb You meant to type ## instead of #, `b Kruk () epsilon eu org d' right?(TeX) d' http://epsilon.eu.org/ Yb `b,-,.,-,.,-,.,-,.,-,.,-,.d' ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Preventing tunnels through HTTPS proxies Michal Ludvig (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Morgan Reed (Jun 18)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 18)
- RE: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 19)
- RE: Preventing tunnels through HTTPS proxies Erik Soosalu (Jun 17)
- Re: Preventing tunnels through HTTPS proxies Mariusz Kruk (Jun 17)
- RE: Preventing tunnels through HTTPS proxies Ken Kousky (Jun 18)
- Message not available
- Re: Preventing tunnels through HTTPS proxies Aarón Mizrachi (Jun 18)