David Lang wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> does anyone know of a proxy that will sit as a man-in-the-middle ona
> firewall to pass SSL trafic, but have it decrypted on the firewall to
> allow for the type of scanning that is desired?
This is not going to attempt to answer the question, but I want to point
out that by letting your proxy decrypt everything it is a *very* tempting
target. Now if you want to offer, say, an on-line banking service, over
SSL, that is going through such a proxy, it is an even more interesting
target, and even in the presence of client side certificates, I, as a
user, can plausibly deny everything by blaming your proxy. So when I
exhaust my bank account I'll claim fraud and we can have all sorts of
legal fun. (And I'm not in the UK so you can't argue that your crypto is
perfect and get me locked up, although Ross Anderson made that hard
to argue anyway.)
-paul
> David Lang
>
> "If users are made to understand that the system administrator's job is to
> make computers run, and not to make them happy, they can, in fact, be made
> happy most of the time. If users are allowed to believe that the system
> administrator's job is to make them happy, they can, in fact, never be made
> happy."
> - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
>
> On Thu, 4 Feb 1999, Paul Krumviede wrote:
>
> > Date: Thu, 04 Feb 1999 12:11:12 -0800
> > From: Paul Krumviede <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Cc: Paul D. Robertson <[EMAIL PROTECTED]>,
> firewalls <[EMAIL PROTECTED]>
> > Subject: Re: Routing protocols thru firewall
> >
> > From a different Paul...
> >
> > The problem is that many people notice that HTTP and SSL are allowed
> > through firewalls, they decide the best way to get nifty new service
> > through is to run it over HTTP or SSL. Many people avoid implementing
> > something like SMTP auth by running SMTP over SSL. Now say that you
> > want your firewall to scan for virii, trojans, whatever. How does it
> > do that?
> >
> > For the truly amusing scenario, consider people who want to let MBONE
> > stuff, which is basically arbitrary IP packets encapsulated in a
> > unicast stream, through the firewall to a multicast server inside
> > your net that will strip the encapsulation and place the revealed
> > packets on your net. Does that make you feel comfortable about
> > letting it through your firewall?
> >
> > -paul
> >
> > Michael Sorbera wrote:
> > >
> > > Hello everyone,
> > > Paul, you mentioned that SSL was one of your "no's". Could you please explain to
> > > me how SSL can be used to encapsulate something? Also why the no? Please keep
> > > the explanation down to a level I can understand.
> > >
> > > Thanks all,
> > > Michael Sorbera
> > > Webmaster/Network Engineer
> > > Randolph-Brooks Federal Credit Union
> > > www.rbfcu.org
> > > [EMAIL PROTECTED]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNroUGj7msCGEppcbAQEmqwf/X/IYzcWr5BTgVdgyb/X0s/vNxFLr5rNd
> lnyOF1qFPoSX4O7zjlzK1EOfEHgOL88KmSScydKvl2Lqlg93KNz4tcRiYtzD5qCU
> uLtoQ6zPp1Lb677DNZvfMuy/lTtXXXidXmfSM+9avC0NDD+tm8DyhHcu4mVXEhI2
> 1FatS97PZ274ossbYfNYHtSzoupotxhQ+LqOJDZZAaRtbtKMvOQtehgm1FcaBORF
> d7OjwAThMOo63VQRSpJSy7HLcHPw8EqMWGucey7/GMHWdsQcpZtQSy/NBM2PCoKc
> W/vATP8jH5HDeO6AJH9zq6TIUKsHWnxlRfl1tzHfIudAAd62WbGG9g==
> =oQkt
> -----END PGP SIGNATURE-----
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
