Rick Murphy wrote:
>
> At 03:45 PM 5/30/00 +0200, Mikael Olsson wrote:
> >Well, one thing we should have learned from the recent Web-based
> >E-mail filtering failures (Hotmail has received most coverage,
> >but the same problems apply to all of them), is that it is near
> >impossible for a firewall to filter active content. There's always
> >some new way of injecting scripts in an HTML document.
> >
> >So, in light of that, I think that all network filters, be it
> >SPFs or proxies, should be considered to have no protection
> >against embedded active content.
>
> It's worse than that - remember, nobody filters SSL traffic. Firewall
> active content filters only work if the attacker is cooperative :-)
SSL can be restricted to particular e-commerce sites. Alternatively, a
proxy can be created which acts as an SSL server on one side and a
client on the other. In between the content can be decrypted and
filtered. I don't know if anyone does this but it is possible in
principle. And authentication of servers is still possible within this
scheme, provided the original client trusts the proxy, which they should
be able to do if it is running on their firewall.
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
