lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: listuser at seifried.org (Kurt Seifried) Subject: SSL Filtering - OFFTOPIC > Now you can buy products off-the-shelf that man-in-the-middle SSL with > the "new feature" called SSL Filtering; both WebWasher and Secure > Computing are offering this functionality. Not new, I remember discussing this years ago, however implementation is another story. > In summary, the transparent SSL proxy dynamically issues certificates > for any SSL server you try to communicate with (e.g. "etrade.com"), > which allows it to act as though it were the actual server and proxy, > decrypt, and filter all SSL information from the server. Somehow or > another, your browser must trust the proxy server's own root CA. Of > course, your company's security policy will surely require you to do so. If you control the client to such a degree (being able to force installation of root authority certificates) then it's a moot point. If however you can trick the client into installing such a certificate, and maybe fiddle their DNS server settings at the same time, you have a larger problem. Like the SWEN virus did..... Personally I think this is going to be a huge area. Why dick around stealing credit card numbers/etc when you can simply sieze someone's online banking/brokering credentials, or a few hundred such accounts oh, just like Van T. Dinh did: http://www.theregister.co.uk/content/55/33320.html $90,000 for the cost of sending someone a small trojan. Not a bad risk/reward ratio, if you can figure out how to launder the money. Things will probably get a lot worse before they get well and truly bad, to say nothing of when they get utterly horrible. Sort of wish I'd patented this now ("one-click financial fraud"?). Kurt Seifried, kurt@...fried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Powered by blists - more mailing lists