[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00b001c39467$e7823b80$1400000a@bigdog>
From: listuser at seifried.org (Kurt Seifried)
Subject: SSL Filtering - OFFTOPIC
> Now you can buy products off-the-shelf that man-in-the-middle SSL with
> the "new feature" called SSL Filtering; both WebWasher and Secure
> Computing are offering this functionality.
Not new, I remember discussing this years ago, however implementation is
another story.
> In summary, the transparent SSL proxy dynamically issues certificates
> for any SSL server you try to communicate with (e.g. "etrade.com"),
> which allows it to act as though it were the actual server and proxy,
> decrypt, and filter all SSL information from the server. Somehow or
> another, your browser must trust the proxy server's own root CA. Of
> course, your company's security policy will surely require you to do so.
If you control the client to such a degree (being able to force installation
of root authority certificates) then it's a moot point. If however you can
trick the client into installing such a certificate, and maybe fiddle their
DNS server settings at the same time, you have a larger problem. Like the
SWEN virus did.....
Personally I think this is going to be a huge area. Why dick around stealing
credit card numbers/etc when you can simply sieze someone's online
banking/brokering credentials, or a few hundred such accounts oh, just like
Van T. Dinh did:
http://www.theregister.co.uk/content/55/33320.html
$90,000 for the cost of sending someone a small trojan. Not a bad
risk/reward ratio, if you can figure out how to launder the money.
Things will probably get a lot worse before they get well and truly bad, to
say nothing of when they get utterly horrible.
Sort of wish I'd patented this now ("one-click financial fraud"?).
Kurt Seifried, kurt@...fried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
Powered by blists - more mailing lists