On 12/17/13, 2:14 PM, John D Groenveld wrote: > In message <[email protected]>, Saso Kiselkov writes: >> Minor side-note, unless the proxy is trying to brutally MITM the session >> (forged certificates and all), then there's absolutely no way for it to >> know if a particular TLS session is carrying HTTPS traffic or something >> else (short of doing some kind of statistical analysis of the traffic >> flow, that is). > > I believe Palo Alto Network's product combines statefull firewall and > application proxy inspection. > <URL:https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/tech-briefs/paloaltonetworks-vs-proxy.pdf>
Which does it exactly by utilizing statistical analysis, as I mentioned. That having been said, it's trivial to break through that by simply encapsulating your SSH traffic using HTTP tunneling software. Then, for all intents and purposes, your traffic looks like regular HTTPS (because it is). Of course they may choose to filter anything that exchanges small HTTP requests too aggressively, but that would probably break a fair number of AJAX-based web apps such as GMail (which can be rather chatty over the line, frequently exchanging tiny XML blobs as you type messages, etc.). Cheers, -- Saso _______________________________________________ OmniOS-discuss mailing list [email protected] http://lists.omniti.com/mailman/listinfo/omnios-discuss
