On Tue, May 17, 2005 at 03:34:16PM +0200, Christoph Puppe wrote:
Henderson, Dennis K. schrieb:
It seems like he was looking for information on how to prevent this.
The most thorough way to prevent proxy abuses, that use the CONNECT
feature to simulate valid HTTPS traffic, is breaking up all this
connections, decrypted and have them scrutinized with your normal content
security tool. The Proxy acts like a man in the middle attacker, it get's
the HTTPS connection, produces a certificate that matches the site beeing
requested and presents this to the client. The client agrees on a
session-key with the proxy and starts sending requests. The proxy pipes
this requests through some logic to determine if this is an OK request,
most firewalls and CS-Tools will do this for you. Then the proxy opens a
new connection to the site requested, checks the certificate and sends the
requests. The results are processed likewise.
Sounds complicated? It's a little more challenging than a simple proxy
and the clients all need to have a new Root-CA-Certificate, that is used by
the proxy to sign the fake-certificates. Works fine. Keeps the tunnels
closed _and_ you get content security for https connections. No more
viruses from Web-Mail accounts that use https.
Of course, setting the firewall so, that the proxy may only connect to
80,443,8080 and other well known http/s ports should be done. Monitoring
logfiles is a good idea as well.
The problem, of course, being that this makes verification of the remote
end of the connection impossible as well as compromising privacy for the
parties behind the firewall.
So this will also make HTTPS less useful for the user. There is a trade
off here...
Joachim
pgpuKTR7JfRQT.pgp
Description: PGP signature
