hi,
> does anyone know of a proxy that will sit as a man-in-the-middle ona
> firewall to pass SSL trafic, but have it decrypted on the firewall to
> allow for the type of scanning that is desired?
i can't see how that would work. there was a discussion about this on this
list a while ago, and at first i thought it would be a pretty good idea. an
ssl proxy with it's own certificate, decrypting the stream from the server
and then encrypting it to the client with it's own certificate. however,
based on the url the client browser (at least msie & netscape) will refuse
or warn you that it is not a valid certificate. so at the very least it
won't be transparent, and the client will never be sure that he is actually
talking to www.mybank.com. the proxy will however be able to verify this,
which means the browser has to trust the proxy. (which i guess it has to do
anyways, 'cause the proxy has clear-text access to information that's
supposed to be private). please correct me if i'm wrong - cryptographer i am
not.
--jan van rensburg
> -----Original Message-----
> From: David Lang [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 04, 1999 11:42 PM
> To: Paul Krumviede
> Cc: [EMAIL PROTECTED]; Paul D. Robertson; firewalls
> Subject: Re: Routing protocols thru firewall
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> does anyone know of a proxy that will sit as a man-in-the-middle ona
> firewall to pass SSL trafic, but have it decrypted on the firewall to
> allow for the type of scanning that is desired?
>
> David Lang
>
> "If users are made to understand that the system
> administrator's job is to
> make computers run, and not to make them happy, they can, in
> fact, be made
> happy most of the time. If users are allowed to believe that
> the system
> administrator's job is to make them happy, they can, in fact,
> never be made
> happy."
> - -Paul Evans (as quoted by Barb Dijker in "Managing Support
> Staff", LISA '97)
>
> On Thu, 4 Feb 1999, Paul Krumviede wrote:
>
> > Date: Thu, 04 Feb 1999 12:11:12 -0800
> > From: Paul Krumviede <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Cc: Paul D. Robertson <[EMAIL PROTECTED]>,
> firewalls <[EMAIL PROTECTED]>
> > Subject: Re: Routing protocols thru firewall
> >
> > From a different Paul...
> >
> > The problem is that many people notice that HTTP and SSL are allowed
> > through firewalls, they decide the best way to get nifty new service
> > through is to run it over HTTP or SSL. Many people avoid
> implementing
> > something like SMTP auth by running SMTP over SSL. Now say that you
> > want your firewall to scan for virii, trojans, whatever. How does it
> > do that?
> >
> > For the truly amusing scenario, consider people who want to
> let MBONE
> > stuff, which is basically arbitrary IP packets encapsulated in a
> > unicast stream, through the firewall to a multicast server inside
> > your net that will strip the encapsulation and place the revealed
> > packets on your net. Does that make you feel comfortable about
> > letting it through your firewall?
> >
> > -paul
> >
> > Michael Sorbera wrote:
> > >
> > > Hello everyone,
> > > Paul, you mentioned that SSL was one of your "no's".
> Could you please explain to
> > > me how SSL can be used to encapsulate something? Also
> why the no? Please keep
> > > the explanation down to a level I can understand.
> > >
> > > Thanks all,
> > > Michael Sorbera
> > > Webmaster/Network Engineer
> > > Randolph-Brooks Federal Credit Union
> > > www.rbfcu.org
> > > [EMAIL PROTECTED]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP for Personal Privacy 5.0
> Charset: noconv
>
> iQEVAwUBNroUGj7msCGEppcbAQEmqwf/X/IYzcWr5BTgVdgyb/X0s/vNxFLr5rNd
> lnyOF1qFPoSX4O7zjlzK1EOfEHgOL88KmSScydKvl2Lqlg93KNz4tcRiYtzD5qCU
> uLtoQ6zPp1Lb677DNZvfMuy/lTtXXXidXmfSM+9avC0NDD+tm8DyhHcu4mVXEhI2
> 1FatS97PZ274ossbYfNYHtSzoupotxhQ+LqOJDZZAaRtbtKMvOQtehgm1FcaBORF
> d7OjwAThMOo63VQRSpJSy7HLcHPw8EqMWGucey7/GMHWdsQcpZtQSy/NBM2PCoKc
> W/vATP8jH5HDeO6AJH9zq6TIUKsHWnxlRfl1tzHfIudAAd62WbGG9g==
> =oQkt
> -----END PGP SIGNATURE-----
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
