Rick Murphy wrote:
>
> At 04:28 PM 5/30/00 +0200, Graham Wheeler wrote:
> >SSL can be restricted to particular e-commerce sites. Alternatively, a
> >proxy can be created which acts as an SSL server on one side and a
> >client on the other. In between the content can be decrypted and
> >filtered. I don't know if anyone does this but it is possible in
> >principle. And authentication of servers is still possible within this
> >scheme, provided the original client trusts the proxy, which they should
> >be able to do if it is running on their firewall.
>
> That works until you want SSL V2 (client authentication) - unless you trust
> your proxy to hold everyone's private key (VERY bad idea).
Agreed, but most people use v1.5, and the main application of SSL in
practice is not so much authentication as it is encryption, to make
sniffing much harder. That's likely to change, of course, but a scheme
as I have described would have been quite adequate for most SSL use in
the past few years, and still today.
> I've seen several proposals to do what you describe but I've never seen it
> tried; I thought you would need to make changes to the browsers to permit
> them to accept the proxy's certificate in lieu of the site they expected
> one from; a recent Netscape bug (once a cert is marked as ok for a site
> even though it doesn't match the domain, that cert is OK for *ANY* site)
> could be exploited to make this work.
I suspect (but I also haven't tested this) that you would not need to do
this; you could have a self-signed certificate that the proxy presents.
The browser will complain about it, but should give you the option of
accepting it, and having the acceptance last for the lifetime of the
certificate.
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
