Re: Slightly off topic - HTTPS Proxy

Fri, 12 Feb 1999 08:37:11 -0500 

On Fri, 12 Feb 1999, Steve Brown wrote:

> The main drawback from Websweeper is that it can not proxy HTTPS. Can
> anyone point me to an alternative or workaround for this lack of
> functionality.

Nobody proxies SSL.  Alternatives currently include changing proxy source 
code to rewrite https:// urls inbound to http://cookie URLs so that the 
proxy can enforce HTTP restrictions on the clientproxy interaction, then 
having the proxy rewrite outbound http://cookie URLs as https:// URLs and 
make the connection on behalf of the client.  As client-side certificates 
come out, the proxy will need to be modified to store them locally on 
behalf of the client.  The inelegant part of this solution happens if the 
client starts with an https:// URL instead of an http:// URL, but I 
haven't examined the alternatives for proxies to rewrite, redirect, or 
otherwise intervene to start the process.  Fortunatly, most sites have 
http:// portals into the secure areas of their sites, so it's a small issue.

Another alternative is to change the client to send https:// methods over 
HTTP to the proxy, then have it do real https:// on the outside.  Once 
again, this requires some proxy modification (as well as client 
modification), but there's no reason you couldn't insert a commercial 
proxy in the middle if it wss done correctly.

Yet another  alternative is to place a machine to do https:// URLs external 
to the organization, and use some sort of remote display (X-Windows, 
Citrix Winframe...) for the end-users to get to that machine and run SSL 
enabled browsers.

In most places, these cases require that the users be informed 
that https:// URLs aren't private, and are actively monitored. 

The final alternative is not to allow SSL through the firewall.  Either 
put machines for using SSL outside the network perimeter, or just 
disallow it.

FWIW, I still think the firewall is the wrong place to do content 
scanning.  It's a workstation problem, and you should use a workstation 
solution, everything else is much less effective.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to