|
To allow some configuration to turn off SSL/TLS
while showing the user the https url would be a
SERIOUS security hole. So it is not possible (I
hope). What you will need to do is act as a
'step up' SSL/TLS proxy, acting as a SSL/TLS server
for the browser to talk to, and act as
a SSL/TLS client towards the server, possibly
'enhancing' the user experience by handling client
authentication in your proxy. There has been a
number of such programs, mostly to bypass
the US encryption regulations, which are now a
thing of the past (?).
Another use for such proxies has surfaced lately in that there seems to be a problem in
implementing
a reliable 'logoff',
especially with 'soft smartcard' tokens since browsers do both keep-alive and
session
cacheing which technically allows it to
keep/create SSL/TLS sessions even if the token is removed.
As far as I can see the browser would need to track
both kept-alive connections and SSL/TLS sessions and
discard all such objects created from a given token
if it is ever removed.
Another thing to ponder is whether to track
certificate validity an discard sessions/connections based on that.
I don't know what the browsers currently do.
Anybody care to comment ?
Also, unless you dynamically generate certificates
for the proxy to use in it's server role, you will
run into a number of warnings from the browser
about wrong names in the server certificate since
it does a compare on the SubjectAltName extension
if present or Subject DN against the host
part of the URL given by the user. This is to
protect the user against (this kind of) man-in-the-middle
attacks.
You will also run into a warning about a
non-trusted server certificate unless you somehow install
your own CA cert i the browser.
(I've basically run into all of the above myself
:-)
Regards
Per
|
- bypassing ssl in browser??? Allan Strid
- Re: bypassing ssl in browser??? Per Nilsson
- Re: bypassing ssl in browser??? Louis LeBlanc
