[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] SSL does not = a secure website

From: Jos <josmtx@xxxxxxxxx>
Subject: RE: [WEB SECURITY] SSL does not = a secure website
Date: Tue, 28 Mar 2006 10:13:56 -0500

------=_Part_61_17988859.1143558836678
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

What about man in the middle devices such as proxies? I have several device=
s
on my network that encrypt and decrypt SSL on the fly and can be used to
monitor what is sent to and an ECommerce site.

The one device {BlueCoat} even has a specialized card for this so it doesn'=
t
take from the central processor. We use it for forward proxy, and also
reverse proxy in front of our ECommerce site, so if I wanted to I could rea=
d
the actual packet payload in the clear without either end knowing the data
has been decrypted.

We also have several sniffers with cards in them to do the same thing, afte=
r
all, the sniffers and BlueCoat see the entire conversations so know what th=
e
encryption is.

You need to tell all the truth. Getting access to clear data (otherwise SSL
protected) with a reverse proxy is only possible if you import your server
private key in it. If you do that, well, you better know what you are doing=
.
Getting access to clear data with a forward proxy is not possible for sites
that you do not own, since you need the destination site's private key. You
could try a man in the middle attack at the proxy level, and this might wor=
k
since users do not understand security warning about certifiates not being
from a trusted authority (well, they tend to be educated the hard way).

Jocelyn

------=_Part_61_17988859.1143558836678
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<div style=3D"margin-left: 40px;">What about man in the middle devices such=
 as proxies? I have several devices on my network that encrypt and decrypt =
SSL on the fly and can be used to monitor what is sent to and an ECommerce =
site.
<br><br>The one device {BlueCoat} even has a specialized card for this so i=
t doesn't take from the central processor. We use it for forward proxy, and=
 also reverse proxy in front of our ECommerce site, so if I wanted to I cou=
ld read the actual packet payload in the clear without either end knowing t=
he data has been decrypted.
<br><br>We also have several sniffers with cards in them to do the same thi=
ng, after all, the sniffers and BlueCoat see the entire conversations so kn=
ow what the encryption is.<br></div><br>You need to tell all the truth. Get=
ting access to clear data (otherwise SSL protected) with a reverse proxy is=
 only possible if you import your server private key in it. If you do that,=
 well, you better know what you are doing. Getting access to clear data wit=
h a forward proxy is not possible for sites that you do not own, since you =
need the destination site's private key. You could try a man in the middle =
attack at the proxy level, and this might work since users do not understan=
d security warning about certifiates not being from a trusted authority (we=
ll, they tend to be educated the hard way).
<br><br>Jocelyn<br>

------=_Part_61_17988859.1143558836678--

Prev by Date: Re: [WEB SECURITY] SSL does not = a secure website
Next by Date: Re: [WEB SECURITY] SSL does not = a secure website
Previous by thread: Re: [WEB SECURITY] SSL does not = a secure website
Next by thread: Re: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org