Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security of HTTPS

From: Ng Pheng Siong <ngps () netmemetic com>
Date: Mon, 29 Nov 2004 00:33:15 +0800
On Sun, Nov 28, 2004 at 03:38:09PM -0000, Kevin Sheldrake wrote:

I expect others do too, to enable content filtering at an organisational  
boundary, re-encrypting with their own certificate upon success.  If their  
own certificate has been signed by a trusted party (CA) then the user will  
be practically unaware of the decryption.  


Nit: Not "re-encrypting with their own certificate". More properly, proxy
the HTTPS traffic, where the in-house part is between the browser and the
proxy. The proxy generates a certificate for the real server dynamically,
signs it with the in-house CA, and presents this certificate to the client
as the server's certificate. If the in-house CA certificate has been signed
by a trusted CA then the browser will accept this proxy certificate as the
server's certificate.

Be prepared to buy hardware SSL accelerators for the proxy.

Cheers.

-- 
Ng Pheng Siong <ngps () netmemetic com> 

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: