Re: Security tool for monitoring HTTPS traffic?

["lists AT dawes DOT za DOT net" <"lists AT dawes DOT za DOT net"@securityfocus.com>]

There very definitely are ways of looking at the content inside an HTTPS 
stream.

There are two major approaches to doing this, at the end-points and in 
the middle. The first approach is an active approach, the second 
approach is more passive.

Observing at the end-points involves using a proxy application at either 
end of the connection that decrypts the stream. Two examples:

Using Apache with mod_proxy, where the Apache server has the SSL 
certificate, decrypts the traffic in the normal way, and relays the 
decrypted information to another server. The decrypted information can 
be observed, monitored, altered, etc as desired.

Using a client-side proxy, such as WebScarab, Odysseus, Spike, etc on 
the client side, where the client reconfigures their proxy settings, and 
the client side proxy provides a faked certificate. This results in 
warning messages, but since the client is in control, they can choose to 
accept the warnings.

Passively observing the stream involves providing the Server's SSL key 
to an application such as SSLDump, which uses TCPDump to observe network 
traffic, and the provided key to decrypt the traffic and recover the 
plaintext, in parallel to the actual web server.

Hope this clears things up!

Rogan

John Reilly wrote:

> > I have a similar question too!
> >
> > Are they products they can look inside HTTPS traffic? Some 
> > customers doesn't
> > trust HTTPS traffic going inside the company over the proxy! 
>
>
> There is no way to look at the plain text content inside the https traffic -
> that would defeat the whole purpose of https.  
>
> Regards,
> John

--
"Using encryption on the Internet is the equivalent of arranging an
armored car to deliver credit card information from someone living
in a cardboard box to someone living on a park bench."
- Gene Spafford