On Wednesday 26 May 2004 05:56 am, Miguel Angel Garcia Rivas wrote: > Is there any way to analyze HTTPs traffic with a network sensor ?
Only if you cheat. If the IDS is aware of the key, then the IDS can decrypt right along with the web server. But, this breaks the trust value of SSL, since now you have more than one entity with the private key. AFAIK, ISS doesn't implement this. Someone else might. Another way is to terminate the SSL connection in front of the IDS, then pass on the data in the clear past the IDS and to the web server. Again, this breaks the philosophy of a end-to-end SSL-encrypted channel, but it's more common. Popular load balancers have this functionality (like F5's stuff). If you want to be more liberal with your notion of "analyze HTTPS traffic," you can still watch the packets without disrupting the encryption -- the initial handshakes are all in the clear, so you can watch that (and there are a few ISS rules that do that), and if you wanted, you could ensure that the traffic really is encrypted, and not using null encryption or weak encryption. I don't know any rules / products that do this today, but it's possible. Watching for null encryption would be easy. Analyzing for weak encryption would be harder. -- Tod Beardsley | www.planb-security.net Free Isamu Kaneko: http://www.freekaneko.com/en/ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
