Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: The Outgoing Traffic Problem --
From: Carson Gaspar <carson () taltos org>
Date: Tue, 25 Jul 2006 15:16:05 -0700

--On Tuesday, July 11, 2006 9:51 PM -0400 "Marcus J. Ranum" <mjr () ranum com> 

As far as I can see, the endgame is going to be one of two
- Organizations are going to try to add signature-style
controls to SSL transactions and are going to rely on "man
in the middle" style interception tricks and (call 'em what
you want) signatures to detect malicious traffic
- Organizations are going to have to positively identify
sites with which it is necessary/appropriate to do SSL

I really wish I'd gone & patented my "benevolent dictator MITM attack" back 
in '96, but I was/am too damned lazy... I haven't looked at the current 
crop of commercial MITM SSL proxies, but one simple method of weeding out 
some naughty connections is for the proxy to enforce server cert validity 
(with the inevitable exception list for crap sites that we nonetheless must 
do business with). I suspect this would stop a large percentage of HTTPS 
phone-home schemes, unless they're using hijacked sites' legitimate certs.

Of course that's just another finger in one of many holes in the dike. 
Personally, I'd love to deploy a dual client environment using some syscall 
ACL tech. Normal apps have full (well, normal user) local privs, but may 
only go to whitelisted sites off net. To access random cruft, a user must 
use a sandboxed app that is allowed to do very little indeed. I _think_ 
this would be a decent tradeoff that would allow crap 3rd party apps to 
work, and allow users to visit their favorite malware-infected sites 
without sideswiping the rest of the company on the way. Of course, 
enforcing that only the sandboxed app can get at the default-permit proxy 
is an interesting technical and political problem...

firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]