More accurately, it will warn the user if their *browser* doesn't
trust the CA. SSL solutions like Bluecoat are used pretty widely to
allow network administrators/security groups/compliance groups
visibility into that traffic. Typically where SSL is being
intercepted and re-signed by the appliance, a GPO push is down of the
new CA to ensure users aren't constantly getting certificate warnings.
On the policy side of things, clearly users need to be advised of the
company policy and sign off on it - which should be true for all
monitoring regardless of whether it's encrypted or not.
As a side note, once you've decrypted the SSL like this it's pretty
trivial to check the type of traffic and deny someone who's trying to
tunnel ;)
Cheers,
---
Tremaine Lea
Network Security Consultant
Intrepid ACL
"Paranoia for hire"
On 11-Dec-07, at 10:28 AM, Scalcione.David wrote:
is there any standard mechanism (in SSL standard or in HTTP standard)
to send actual CA certificate to the browser by forward proxies?
I think that would defeat the whole purpose of SSL. The whole point
of SSL is to warn the user if they don't trust the CA. Users would
need to manually install that CA cert before that kind of IPS system
would work. Otherwise they'd get a security warning every time they
access an SSL connection. If it WERE possible to make the browser
display a prompt to install the CA cert, the IPS device would not
know if the user ever installed it and would prompt them to install
it every time they opened an SSL connection. Also, remember, any
protocol can travel through SSL. It's not always a browser as the
SSL client, could be email, VPN, etc.
Dave
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com
] On
Behalf Of Ravi Chunduru
Sent: 08 December 2007 18:33
To: focus-ids@securityfocus.com
Subject: SSL - Man-in-the-Middle filtering
it seems that some network IPS devices and application firewalls are
not only providing SSL based HTTP inspection on server side, but also
on client side (i know of one IPS device which is in beta testing).
i understand that it is required as attacks can be sent in SSL to
avoid blocking.
when deployed on client side, these devices resign certificates (of
public servers) with local CA certificate. i see two aspects to it -
users need to trust local authority (enterprise administrators) and
second is users will have false sense of security (that is users are
no longer see the actual CA of server certificate).
any comments on acceptance of this functionality in enterprise
deployments?
is there any standard mechanism (in SSL standard or in HTTP standard)
to send actual CA certificate to the browser by forward proxies?
thanks
Ravi
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
The information contained in this communication is confidential and
privileged information intended only for the use of the individual
or entity to which it is addressed. If you are not the addressee
indicated in this message (or an agent responsible for delivery of
the message to such person), you are hereby notified that you have
received this communication in error and that any review,
dissemination, copying, or any action or omission taken by you in
reliance on it, is strictly prohibited. Please destroy this message
and notify the sender immediately if you have received it in error.
Please also advise immediately if you or your employer do not
consent to e-mail communications. Opinions, conclusions and other
information in this message that do not relate to the official
business of Yardville National Bank shall be understood as neither
given nor endorsed by it.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
