At 04:28 PM 5/30/00 +0200, Graham Wheeler wrote:
>SSL can be restricted to particular e-commerce sites. Alternatively, a
>proxy can be created which acts as an SSL server on one side and a
>client on the other. In between the content can be decrypted and
>filtered. I don't know if anyone does this but it is possible in
>principle. And authentication of servers is still possible within this
>scheme, provided the original client trusts the proxy, which they should
>be able to do if it is running on their firewall.
That works until you want SSL V2 (client authentication) - unless you trust
your proxy to hold everyone's private key (VERY bad idea).
I've seen several proposals to do what you describe but I've never seen it
tried; I thought you would need to make changes to the browsers to permit
them to accept the proxy's certificate in lieu of the site they expected
one from; a recent Netscape bug (once a cert is marked as ok for a site
even though it doesn't match the domain, that cert is OK for *ANY* site)
could be exploited to make this work.
You could have the user always connect to the proxy unencrypted, then allow
the proxy to do SSL; that'd work until a user gets redirected to a SSL site
to enter an order.
I'd love to have the time to try writing a real SSL proxy to verify whether
my expectations are true or not..
-Rick
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
