Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SSL Web Proxy is a Double Edged Sword

from [primero] Network Security [Permanent Link]
Subject: Re: SSL Web Proxy is a Double Edged Sword
Date: Sat, 23 Jul 2005 13:26:09 +0200 
Greg Jones wrote:

Greetings,



hi there

What concerns me is the proxying of SSL.  Many think this is super
duper secure, saying "Since SSL encrypts, it must be good!"  But if
what you are trying to do is limit outbound connections from your
employees, this is basically a wide open hole.  Here's how:




yes ok, this is true ... and i think that a lot of people here knows about it and how to use it for his needs.
what i think is that you always have to ask "why am i setting this security feature for my network?" and "who is gonna be limited by this security feature?" . I mean, in a normal enterprise network where you use an HTTP/HTTPS proxy to limit outbound connections for your employees , i would expect the these employees would not even imagine that using the SSL Tunnel trhough the proxy can give them access to whatever they want.
http/https Proxy is a measure i use for a general and low-level control ... is not something i would use as Security-Base for my network , because it is not intended to accomplish such a scope.

Is there a way to prevent arbitrary data going over your SSL web
proxy?  Here are some ideas:

- Use various group policy and host-based security packages that
restrict which executables are allowed to run, with a default policy
of deny. Also, some kind of network-level authentication should
probably be implemented in a way that would not allow the user to
bypass the exe security by simply reformatting their machine or using
a live cd.



What about personal Laptops? Maybe in your network people is not allowed to use laptops ... but i don't see it as a complete solution.

- Or maybe better, after the SSL session key exchange takes place, the
browser could make a second connection via SSL to the proxy server,and
transmit the session key allowing the proxy to see inside the SSL
connection and verify that it is indeed HTTP and not arbitrary data.



I'm not an expert of SSL phases and mechanisms , but with the session key you would be also able to check the content of the connection ... this is something that KILLS privacy at all ... and i don't think it would be legal, at least here ;)

AFAIK The problem resides in the way an HTTPS proxy deal with the SSL connection. What it should do is just check that the request is an HTTPS correct and legal request and then open a "pin hole" in the proxy to allow the communication to pass through ... and that's all. The Encrypted nature of the SSL connections lead to this situation in wich control over connection is not 'Simple at beast'.

Check out this document for a deeper explaination:
http://proxytunnel.sourceforge.net/papers/muppet-200204.html

bye
Francesco

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SYSLOG server position, Kevin
Next by Date:  Re: SSL Web Proxy is a Double Edged Sword, RemoveThisDPovilaitis
Previous by Thread:  SSL Web Proxy is a Double Edged Sword, Greg Jones
Next by Thread:  Re: SSL Web Proxy is a Double Edged Sword, RemoveThisDPovilaitis
Indexes:  [Date] [Thread] [Top] [All Lists]