On Wed, Mar 27, 2002 at 10:15:56AM +0100, Henrik Nordstrom wrote: > On Tuesdayen den 26 March 2002 16.33, Balazs Scheidler wrote: > > > Providing a client certificate to the server is not very common, if it is > > required a tunnel can be opened to that _specific_ server, and nothing > > else. > > > > So using a real decrypting HTTPS proxy for general https traffic, and > > opening holes to specific destinations is definitely more secure than a > > simple 'pass-through' hole in the firewall. > > You missed the point here. Using a decryption HTTPS proxy invalidates both > the use of client certificates AND the use of server certificates, which > makes the use of SSL somewhat pointless. Further, unless the proxy runs it's > own CA trusted by the browsers then the users will always be warned that the > server certificate is invalid when using such proxy.
I think you missed the point here. Of course the firewall verifies the server's certificate using its own trusted list of CAs. The user is not capable of deciding whether a certificate presented to him really belongs to the given server. They simply press 'continue' without thinking that the server they are communicating with is fake. Of course if you AND your users know what the hell a certificate is, they can decide but I think you are a minority. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
