--On Wednesday, December 20, 2000 8:37 AM +0100 J�rgen Nieveler
<[EMAIL PROTECTED]> wrote:
> You'd have toblock port 443. There is no way to proxy SSL-encrypted
> connections, therefore most proxies simply tunnel it.
> There are also programms that tunnel via port 80 with simulated HTML.
> Those will also pass an application-level gateway quite happily.
Not precisely true. You _can_ proxy SSL'd connections via what I call a "Benevolent
Dictator MITM Attack". To date, I've seen no code that does so.
The SSL crypto upgrade proxy could be modified to do so, as could Dug's sslmitm.
Basically, you install your own trusted CA key in the clients, and
use it to carry out a MITM attack. The nasty details come in things like supporting
client certs, but it's all doable. Of course the clients have to
trust your CA, but many folks can make that a pre-requisite of getting out through the
firewall.
-- Carson Gaspar - [EMAIL PROTECTED]
Queen trapped in a butch body
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
