On Wed, 8 Mar 2000, Groth, Daniel wrote:
> I have always been amazed about SSL in regards of HTTP servers weaknesses.
> Are there any firewall that can do content analysis on an SSL stream?
No, that's the whole point of SSL; to block people from eavesdropping.
It's good for keeping "the man" out of the web pages you're looking at
from work if you've got a server out on the internet that is willing to
give you an SSL proxy. I have one of these on my DSL line if I feel like
looking at things I don't want my employer to know about.
Lots of people at our workplace also use SSH, so tough cookies there for
eavesdropping. The only thing you, as an admin can do is to keep track of
destination hosts, and ask people why they're connecting to
"www.hotanimalsex.com" during work hours. ;)
> I suppose the firewall cannot grab the key exchange but something as simple
> the header can be analyzed to check if it actually is SSL and not a telnet
> stream. Are any firewalls doing that?
What good would this do? I think you meant to say "not a normal tcp
connection" because telnet is just a protocol that runs over a connected
tcp port.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
