lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: john_sec_lists at hotmail.com (John Sec)
Subject: SSL Filtering

>Now you can buy products off-the-shelf that man-in-the-middle SSL with
>the "new feature" called SSL Filtering; both WebWasher and Secure
>Computing are offering this functionality.
>
>In summary, the transparent SSL proxy dynamically issues certificates
>for any SSL server you try to communicate with (e.g. "etrade.com"),
>which allows it to act as though it were the actual server and proxy,
>decrypt, and filter all SSL information from the server. Somehow or
>another, your browser must trust the proxy server's own root CA. Of
>course, your company's security policy will surely require you to do so.
>
>A whitepaper is available that includes a poignant section labeled "What
>Are Employees Trying To Hide?" (check the diagram near the bottom for a
>process flow diagram):
>http://www.webwasher.com/enterprise/download/white_paper/en_SSL.pdf
>
>Here's an eWeek article on the topic:
>http://www.eweek.com/article2/0,4149,1342951,00.asp
>
>From the article: "Because SSL is a secure and encrypted connection, it
>has been impossible to scan SSL connections for viruses or to apply
>content filters to the information that passes through an SSL
>connection. ... If a visitor to the company uses the network to access a
>secure Web-mail client, it makes it possible to break this security and
>scan a user's mail."
>
>Note that companies that use CONNECT to tunnel secure communication and
>don't use SSL or other PKI-derived methods /for authentication/ can not
>be man-in-the-middled by this. So, SSL as a protocol may be fine, but
>this is one more reason not to get too comfortable with its PKI.
>
>-Jason

Is there a way to detect if this MITM is being performed?

_________________________________________________________________
Fretting that your Hotmail account may expire because you forgot to sign in 
enough? Get Hotmail Extra Storage today!   
http://join.msn.com/?PAGE=features/es


Powered by blists - more mailing lists