lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: john_sec_lists at hotmail.com (John Sec) Subject: SSL Filtering >Now you can buy products off-the-shelf that man-in-the-middle SSL with >the "new feature" called SSL Filtering; both WebWasher and Secure >Computing are offering this functionality. > >In summary, the transparent SSL proxy dynamically issues certificates >for any SSL server you try to communicate with (e.g. "etrade.com"), >which allows it to act as though it were the actual server and proxy, >decrypt, and filter all SSL information from the server. Somehow or >another, your browser must trust the proxy server's own root CA. Of >course, your company's security policy will surely require you to do so. > >A whitepaper is available that includes a poignant section labeled "What >Are Employees Trying To Hide?" (check the diagram near the bottom for a >process flow diagram): >http://www.webwasher.com/enterprise/download/white_paper/en_SSL.pdf > >Here's an eWeek article on the topic: >http://www.eweek.com/article2/0,4149,1342951,00.asp > >From the article: "Because SSL is a secure and encrypted connection, it >has been impossible to scan SSL connections for viruses or to apply >content filters to the information that passes through an SSL >connection. ... If a visitor to the company uses the network to access a >secure Web-mail client, it makes it possible to break this security and >scan a user's mail." > >Note that companies that use CONNECT to tunnel secure communication and >don't use SSL or other PKI-derived methods /for authentication/ can not >be man-in-the-middled by this. So, SSL as a protocol may be fine, but >this is one more reason not to get too comfortable with its PKI. > >-Jason Is there a way to detect if this MITM is being performed? _________________________________________________________________ Fretting that your Hotmail account may expire because you forgot to sign in enough? Get Hotmail Extra Storage today! http://join.msn.com/?PAGE=features/es
Powered by blists - more mailing lists