PLDT FOA-Armando Bonifacio wrote:
I recently went through a phone interview for a company and they asked
me a question regarding deafeating proxy servers.
Of course my initial answers were using public proxy servers that mask
the actual URL if the proxy servers use URL based filtering, or type
in the IP address of the website instead of the domain. There are a
lot of public proxy servers that do URL masking anyway, such as
usproxy.net.
Then came the idea of SSL.
Let's say the proxy server has a filter turned on for domain.com
If the user, uses https://domain.com, won't the proxy server still be
able to block this?
My interviewer said that it won't. But i was the under the impression
that it should.
The assumption is that the proxy server can proxy both 80 and 443
requests.
Looking forward to an enlightenment from the group.
Anton
Anton,
HTTP proxies are generally HTTPS 'aware', but they don't can't filter
past a point, due to the contents of the transmission being encrypted.
When the inital connection to the proxy arrives, the client issues the
command "CONNECT <host>:<port>" The proxy then opens a socket to the
remote site, and from then on the client talks over SSL to the end
server, the proxy is just redirecting a bitstream that it can't read.
The proxy can obviously use the connect request to perform an
accept/deny decision, but that's as smart as it gets.
Hope this helps,
Glenn Phillips, CISSP.
------------------------ Yahoo! Groups Sponsor --------------------~-->
Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
Now with Pop-Up Blocker. Get it for free!
http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
