Hi Kevin,
> -----Original Message-----
> On Tue, 23 Nov 2004 09:24:45 +0100, Ben Nagy <ben_at_iagu.net> wrote:
> . . .
> > or total mis-use of the protocol to ignore server authentication
> > (nobody does that although it is supported in theory).
>
> Are you referring to checking for a trusted signature on the
> certificate presented by the server, or some other server
> authentication?
No, I was talking about the ANON_DH_* cipher suites, but trying to simplify.
Sorry. :(
[...]
> Getting back on the topic of firewalls, I wonder if it would be
> possible for a firewall not doing MITM for SSL to validate the
> certificate presented by the remote server, and terminate the
> attempted SSL session if the certificate does not match the remote
> host, is not signed by an acceptable CA or has been revoked?
So...we use the firewall to attempt to do "better" certificate validation
than the client. Sure it's possible, I'm just wondering if it's wise. As you
say, it offers to provide some extra protection with low overhead, but there
is strong potential for the usability to suck. Actually, _I_ was wondering
if it's possible to change IE's behaviour to "deny without asking" instead
of popping up the certificate warning dialog, perhaps via group policy, but
a rapid googling didn't turn up anything...
Cheers,
ben
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 08 2004
Intro
