Home page logo
/

basics logo Security Basics mailing list archives

Re: Question on appliances that do "decryption" of SSL
From: kaarthik rm <rm.something () gmail com>
Date: Tue, 26 Apr 2011 22:30:45 -0700

-Sent from my mobile device

--- original message ---
From: Edd Burgess <edd.burgess () cantab net>
Subject: Re: Question on appliances that do "decryption" of SSL
Date: 27th April 2011
Time: 1:20:52 am


If you want your connection to be confidential, even if you're sat on an
untrusted network, use SSH tunneling to a box you trust and have
connected to before (you know you have the correct RSA key, and it
hasn't changed).

ssh -D 4444 -N user () trustedhost com

is what I use when travelling around in places that block/sniff
connections - facebooking from China for example.


On 25/04/2011 20:06, David Gillett wrote:
   Usually the device is a proxy -- the client connects to the device, and
the device to the server on the client's behalf.  Obviously the device needs
to offer the client a trusted certificate with a public key for which the
device itself has the private key.

   Yes, you can break this by removing your browser's trust of the device's
certificate signature.  But typically that does NOT mean that you get an
encrypted session that the box can't decrypt -- it means you get NO
connection.

Moral:  If you don't want your employer to be able to see what you are
doing, don't use their equipment/network to do it.

David Gillett

-----Original Message-----
From: Ray Van Dolson [mailto:rvdolson () gmail com]
Sent: Thursday, April 21, 2011 12:00
To: security-basics () securityfocus com
Subject: Question on appliances that do "decryption" of SSL

Hearing a lot from vendors these days that do "decryption" of SSL (usually
in the form of HTTPS presumably).  I've been trying to think up how this
could be implemented:

- Somehow the device has the private key of the remote site being accessed
(unlikely for Internet sites)
- The device presents a certificate that is "valid" to the browser/client
and then transparently proxies on to the "real" site.

Am I missing some other method?  This would be easy enough to circumvent by
removing your "organization" as a trusted CA from your browser... I'd think
also this could introduce concerns where an invalid certificate is being
used on the "real" site, though obviously the MITM device could relay this
back tot he client with a bit of intelligence I suppose.

Thoughts?

Thanks,
Ray

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault