Home page logo
/

basics logo Security Basics mailing list archives

RE: Question on appliances that do "decryption" of SSL
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 25 Apr 2011 12:06:34 -0700

  Usually the device is a proxy -- the client connects to the device, and
the device to the server on the client's behalf.  Obviously the device needs
to offer the client a trusted certificate with a public key for which the
device itself has the private key.

  Yes, you can break this by removing your browser's trust of the device's
certificate signature.  But typically that does NOT mean that you get an
encrypted session that the box can't decrypt -- it means you get NO
connection.

Moral:  If you don't want your employer to be able to see what you are
doing, don't use their equipment/network to do it.

David Gillett

-----Original Message-----
From: Ray Van Dolson [mailto:rvdolson () gmail com]
Sent: Thursday, April 21, 2011 12:00
To: security-basics () securityfocus com
Subject: Question on appliances that do "decryption" of SSL

Hearing a lot from vendors these days that do "decryption" of SSL (usually
in the form of HTTPS presumably).  I've been trying to think up how this
could be implemented:

- Somehow the device has the private key of the remote site being accessed
(unlikely for Internet sites)
- The device presents a certificate that is "valid" to the browser/client
and then transparently proxies on to the "real" site.

Am I missing some other method?  This would be easy enough to circumvent by
removing your "organization" as a trusted CA from your browser... I'd think
also this could introduce concerns where an invalid certificate is being
used on the "real" site, though obviously the MITM device could relay this
back tot he client with a bit of intelligence I suppose.

Thoughts?

Thanks,
Ray

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault