Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: SSL

Re: SSL

From: Eric Rescorla <ekr_at_rtfm.com>
Date: 18 Oct 2001 09:33:51 -0700

Frederick M Avolio <fred_at_avolio.com> writes:

> At 08:18 AM 10/16/01 -0400, Crumrine, Gary L wrote:
>
> >... If I allow SSL outbound, and a user
> >browses a web site that is corrupt with something harmful like NIMDA, is it
> >possible that they will infect my network...
>
> Yes. The firewall cannot examine it because the data is encrypted. SSL
> "proxies" are just circuit gateways. I know of no firewall that has a true
> SSL proxy wherein the data is encrypted between the firewall and the
> client, and the firewall and the server, but is in cleartext on the
> firewall. It is possible to do, but few customers (Paul Roberson) ask for it.
It's only possible to do this if the client cooperates. Otherwise, it
gets blocked by the same mechanisms that stop a man-in-the-middle
attack on SSL.

-Ekr
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Received on Oct 19 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]