Re: filter ssl traffic

[Phil Brammer <>]

On Mon, Nov 24, 2003 at 02:42:09PM -0600, Burton M. Strauss III wrote:
> What you might want to do is create an ssl proxy. Then users create an ssl
> connection to the proxy and the proxy creates a connection to the remote
> site.  That gives the proxy machine visibility of the unencrypted data.
>
> Don't know if such a beast exists as freeware - search the web for
> 'transparent ssl proxy' - you'll find some interesting reading and a
> commercial product or two that might meet your needs.
>
>
> -----Burton

How do you propose to do this?  I can only imagine the world of legal hurt you'd find yourself in if I was one of your 
employees (for instance) and found out that what I *thought* was encrypted end-to-end was really only encrypted 
end-to-proxy.

SSL is designed to be encrypted end-to-end.  That's the SSL server and the client's browser.  I'm still not sure how 
you'd get this to work when the browser I'm using isn't "connecting" to your proxy server.  It's connecting to the SSL 
server (ie. placing an order at amazon.com or something where I might want a secure connection).  Also, where are the 
SSL keys stored in your proxying example?  What about cookies?  I've seen documentation on companies like Secure 
Computing and Webwasher, but I'd have to disagree with their concepts.  

Bottom line, if it is possible to act as the middle man with proxying software and SSL transactions, then I think that 
a protocol rewrite is in order.  Allowing for interception of credit card numbers, personal information, etc... is not 
only grounds for breaking the (gasp) DMCA, but also numerous other laws in which my privacy is guaranteed.

This is a bad idea any way you look at it.  Yes, I suppose it is possible, but I truly think that this is a bad road to 
head down.

Phil

---------------------------------------------------------------------------
----------------------------------------------------------------------------