> Now you can buy products off-the-shelf that man-in-the-middle SSL with > the "new feature" called SSL Filtering; both WebWasher and Secure > Computing are offering this functionality.
Not new, I remember discussing this years ago, however implementation is another story. > In summary, the transparent SSL proxy dynamically issues certificates > for any SSL server you try to communicate with (e.g. "etrade.com"), > which allows it to act as though it were the actual server and proxy, > decrypt, and filter all SSL information from the server. Somehow or > another, your browser must trust the proxy server's own root CA. Of > course, your company's security policy will surely require you to do so. If you control the client to such a degree (being able to force installation of root authority certificates) then it's a moot point. If however you can trick the client into installing such a certificate, and maybe fiddle their DNS server settings at the same time, you have a larger problem. Like the SWEN virus did..... Personally I think this is going to be a huge area. Why dick around stealing credit card numbers/etc when you can simply sieze someone's online banking/brokering credentials, or a few hundred such accounts oh, just like Van T. Dinh did: http://www.theregister.co.uk/content/55/33320.html $90,000 for the cost of sending someone a small trojan. Not a bad risk/reward ratio, if you can figure out how to launder the money. Things will probably get a lot worse before they get well and truly bad, to say nothing of when they get utterly horrible. Sort of wish I'd patented this now ("one-click financial fraud"?). Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
