Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Blocking email through the web services

From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Fri, 24 Jan 2003 17:35:46 +0200
Sure, they can check the certificate, but if there is no other way out, they
will either accept it, or not surf their email.

Either way, you win.

Implications are obviously that you are responsible for maintaining the
security of that intermediate certificate, in order to protect your users.
If anyone gets their hands on that cert, and your users are accustomed to
accepting it, or if their browsers have accepted the cert with which it was
signed, the attacker could snarf their banking credentials, etc.

Rogan

-----Original Message-----
From: Nieveler, Juergen [mailto:Juergen.Nieveler () akzonobeldeco de] 
Sent: 24 January 2003 05:09 PM
To: 'John Keeton'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Blocking email through the web services



There are products out there(I have product spew at work w/  the vendors

name if 

anyone is interested) that will be the ssl server to the browsers, so you 
can then forward the http traffic to a filtering proxy, then  back to it,

and it

will make the session to the remote ssl server. The luser  never knows

what 

happened.  Costly though IIRC. 


IIRC, MS ISA Server can do this, too. But a half-competent luser will check
the SSL certificate and notice that it's not the original one.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: