On Wed, 8 Mar 2000, "Paul D. Robertson" wrote:
> I even gave two vendors a step-by-step of how to man-in-the-middle
> an SSL connection as a valid proxy, and they weren't interested in
> spending the time to try it out.
not as a valid proxy, unless you figure out a way to change the CN in
your proxy server cert to match the various hostnames your users will
connect to on the fly (along with any commercial CA signatures).
i suppose you could always condition them to blindly acknowledge their
browsers' alert dialogs, but i'm not sure that's any better. and then
there's the question of performance...
> I'm still of the opinion that anyone passing unbounded SSL to
> clients on the internal network needs their head examined, connect
> method or not.
indeed. ObLameExploit:
http://www.monkey.org/~dugsong/httpstunnel.c.txt
-d.
---
http://www.monkey.org/~dugsong/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
