> On Wed, Mar 27, 2002 at 10:15:56AM +0100, Henrik Nordstrom wrote:
> > On Tuesdayen den 26 March 2002 16.33, Balazs Scheidler wrote:
> >
> > > Providing a client certificate to the server is not very common, if it is
> > > required a tunnel can be opened to that _specific_ server, and nothing
> > > else.
> > >
> > > So using a real decrypting HTTPS proxy for general https traffic, and
> > > opening holes to specific destinations is definitely more secure than a
> > > simple 'pass-through' hole in the firewall.
> >
> > You missed the point here. Using a decryption HTTPS proxy invalidates both
> > the use of client certificates AND the use of server certificates, which
> > makes the use of SSL somewhat pointless. Further, unless the proxy runs it's
> > own CA trusted by the browsers then the users will always be warned that the
> > server certificate is invalid when using such proxy.
>
> I think you missed the point here. Of course the firewall verifies the
> server's certificate using its own trusted list of CAs.
>
> The user is not capable of deciding whether a certificate presented to him
> really belongs to the given server. They simply press 'continue' without
> thinking that the server they are communicating with is fake.
>
> Of course if you AND your users know what the hell a certificate is, they
> can decide but I think you are a minority.
>
We are far from TPROXY, but here is my point of view:
- HTTPS decrypting proxy is an (mitma) alternative if you want
to block all "CONNECT" operations in your proxy. But it sounds
like an absuse protection against inside users. And unfortunately,
for the user itself, as mentionned above, it will block services
such as home banking as well.
- If your proxy allows "CONNECT" requests, then virtually anything
can pass through it, and HTTPS decrypting proxy does not make sense.
Then, if you are really concerned by insider attacks, what about a
session/tunnel timer which could be a possible (ugly) protection
against wormhole kinds of attacks, without invalidating ssl?
-jmhe-
