lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: john_sec_lists at (John Sec)
Subject: SSL Filtering

>Now you can buy products off-the-shelf that man-in-the-middle SSL with
>the "new feature" called SSL Filtering; both WebWasher and Secure
>Computing are offering this functionality.
>In summary, the transparent SSL proxy dynamically issues certificates
>for any SSL server you try to communicate with (e.g. ""),
>which allows it to act as though it were the actual server and proxy,
>decrypt, and filter all SSL information from the server. Somehow or
>another, your browser must trust the proxy server's own root CA. Of
>course, your company's security policy will surely require you to do so.
>A whitepaper is available that includes a poignant section labeled "What
>Are Employees Trying To Hide?" (check the diagram near the bottom for a
>process flow diagram):
>Here's an eWeek article on the topic:
>From the article: "Because SSL is a secure and encrypted connection, it
>has been impossible to scan SSL connections for viruses or to apply
>content filters to the information that passes through an SSL
>connection. ... If a visitor to the company uses the network to access a
>secure Web-mail client, it makes it possible to break this security and
>scan a user's mail."
>Note that companies that use CONNECT to tunnel secure communication and
>don't use SSL or other PKI-derived methods /for authentication/ can not
>be man-in-the-middled by this. So, SSL as a protocol may be fine, but
>this is one more reason not to get too comfortable with its PKI.

Is there a way to detect if this MITM is being performed?

Fretting that your Hotmail account may expire because you forgot to sign in 
enough? Get Hotmail Extra Storage today!

Powered by blists - more mailing lists