Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: The Outgoing Traffic Problem
From: <lordchariot () earthlink net>
Date: Mon, 17 Jul 2006 16:19:11 -0400

Mike Barkett wrote:
It also requires the man-in-the-middle to proxy the public 
keys of every SSL
site visited.  S-L-O-W!!!!  Nevertheless, I'm sure many people will
voraciously pummel this problem with this cotton hammer for a 
few years, to
no avail.

There are a number of commercial man-in-the-middle solutions available, but
I contest that it's not as slow as you may think. Although it does put some
extra load on a proxy server, the impact occurs when you re-generate the
site's cert to present to the client. Once past that part, the session
encryption is is of lesser significant load. Then of course, there are SSL
accelerators to offload much of that anyway.

Decrypting SSL in this manner is a start. At least it can filter out all the
non-HTTP traffic that is getting tunneled through a blind 443/tcp (i.e.
skype or p2p traffic). It's when these tunneled protocols start behaving
like real http inside that it becomes more difficult to distinguish
malicious traffic.

On some level, I wonder why nobody ever uses the client authentication
features of SSL that have been around forever.  I mean, I 
know WHY, but now
we are paying for it.  IMO, if every client had to use 2+ factor
authentication to visit any SSL site, via client SSL proxy, 
it would at
least reduce this problem to a level of manageability consistent with
today's worms.  Again, slow, but maybe the only easy stopgap until The
Ranum-Robertson Corporation opens its doors for business.

Sigh. ANY authentication would be better than none at all. At least it can
add some accountability. 2-factor is not totally unreasonable, but until
there are some landmark legal cases with some real penalties, no one will
deploy to that scale...yet.


firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]