On Tue, 23 Nov 2004 09:24:45 +0100, Ben Nagy <ben_at_iagu.net> wrote:
. . .
> or total mis-use of the protocol to ignore server authentication
> (nobody does that although it is supported in theory).
Are you referring to checking for a trusted signature on the
certificate presented by the server, or some other server
authentication?
I am not aware of any current web browser which fails to check whether
the server certificate is signed by a trusted CA. This was once a
"feature" of lynx-ssl, since resolved.
However, there are quite a few applications which tout SSL/TLS
encryption as a security measure, yet make no attempt to validate the
server certificate. It's perhaps reasonable for the application to
present a "certificate warning" dialog giving the user the option to
ignore the problem and proceed, but much more difficult to stomach an
application which doesn't even check validity at all.
Getting back on the topic of firewalls, I wonder if it would be
possible for a firewall not doing MITM for SSL to validate the
certificate presented by the remote server, and terminate the
attempted SSL session if the certificate does not match the remote
host, is not signed by an acceptable CA or has been revoked?
This would not entirely eliminate the threat of applications tunneling
other protocols inside SSL, but would provide enhanced protection
against clients which do not perform adequate certificate validation,
with relatively low overhead.
Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 05 2004
Intro
