Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] Inspect web mail

from [Soldatov, Sergey V.] Network Security [Permanent Link]
Subject: Re: [ISSForum] Inspect web mail
Date: Wed, 18 Jan 2006 08:53:00 +0300 


-----Original Message-----
From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@iss.net] 
Sent: Tuesday, January 17, 2006 11:09 PM
To: Soldatov, Sergey V.; Massimo; Claudia Patricia Prada Guzman
Cc: issforum@atla-mm1.iss.net
Subject: RE: [ISSForum] Inspect web mail

Sergey,

SSL was specifically designed to prevent Man in the Middle attacks.

In order to perform a "man in the middle" operation against 
SSL, it is necessary to know the server's private key. In 


Paul,

It's not nessesaty, because there is no ability for client to check if
server's private key right or wrong (the only way - if client has
server's certificate, but it's not right for Internet, because for every
HTTPS session client receive certificate from Internet, so client does
not sure if this certificate from server or from man-in-the-middle). To
solve this problem there are CAs. About CAs see below.


this case, you are not really in the middle, just decrypting 
the traffic on the fly. Even then, it may be impossible if 
you cannot control the protocol negotiations that occur at 
the beginning of the connection as the protocol allows for 
ephemeral keys on both ends.

If you try to proxy the connection, decrypt it by providing 
your own private key to the client and then re-encrypt it to 
its final destination you will not go undetected. At the very 
least, the clients will complain on each and every 
connection. Some SSL clients will refuse to operate over the 
proxied connection at all.



In my situation SSL clients have no ability to get to know that their
connections are proxied by man-in-the-middle. My SSL proxy for each SSL
server issues server's certificate signed with proxy's certificate. I
have full control over all workstations in my LAN, because of this it's
no problem for me to import proxy's certificate into trusted CAs in each
SSL client. In this case SSL client will not generate any warnings.



Paul

-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of 
Soldatov, Sergey V.
Sent: Friday, January 13, 2006 9:18 AM
To: Massimo; Claudia Patricia Prada Guzman
Cc: issforum@atla-mm1.iss.net
Subject: Re: [ISSForum] Inspect web mail




-----Original Message-----
From: issforum-bounces@iss.net
[mailto:issforum-bounces@iss.net] On Behalf Of Massimo
Sent: Monday, January 09, 2006 1:33 PM
To: Claudia Patricia Prada Guzman
Cc: issforum@iss.net
Subject: Re: [ISSForum] Inspect web mail

Claudia Patricia Prada Guzman wrote:

Some body knows how to inspect web mail (GMAIL, telcomails

) using Porventia G.?

These equipment has two signatures that inspect attached

files, but if I want to create a new signature using GMAIL, what do 
should I do ?

You should ask gmail not to use SSL for their web mail.

You can't analize/block https connection (you can do it 

with hotmail, 

yahoo because they are clear text http).


You can analyze/block https connection if your Proventia G 
can perform Man-In-The-Middle attack against SSL. I know some 
products that can do this (for example WebWasher CSM's SSL 
scanner). Of course advanced users will see this, but this 
can be solved administratively. Can Proventia G scan 
SSL-traffic performing MITM-attack?




Best Regards,
                    Massimo

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to 

mod-issforum@iss.net


The ISSForum mailing list is hosted and managed by Internet 

Security 

Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.





---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 495 745 89 50
tel +7 495 777 77 07 (1613) 


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.




_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ISSForum] Inspect web mail, Palmer, Paul \(ISSAtlanta\)
Next by Date:  Re: [ISSForum] TCP_Port_Scan, Soldatov, Sergey V.
Previous by Thread:  Re: [ISSForum] Inspect web mail, Palmer, Paul \(ISSAtlanta\)
Next by Thread:  [ISSForum] 7.0 XPU (24.25), Mohammed Atari
Indexes:  [Date] [Thread] [Top] [All Lists]