Network sensor does not currently have the ability to analyze traffic encapsulated 
within HTTPS, although it does recognize certain attacks against the HTTPS protocol 
itself.

Although I haven't tried it myself, I know of no reason why it would be impossible for 
a network device (such as network sensor) to decrypt HTTPS traffic from the network if 
it had the server's private key. However, performance would not be very good as 
decrypting the traffic would be very expensive.

Generally, we prefer to plug sensors directly into the IIS or Apache servers. Both 
servers provide interfaces that allow a sensor to view the decrypted HTTP requests. 
This tends to be more efficient and can eliminate the overhead of dealing with certain 
evasion techniques.

Paul 

-----Original Message-----
From: [EMAIL PROTECTED] On Behalf Of Miguel Angel Garcia Rivas
Sent: Wednesday, May 26, 2004 6:56 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Sniffing https traffic ?

Hello all.

Is there any way to analyze HTTPs traffic with a network sensor ?
I told to my enterprise engineers that it isnt possible, but they insist 
that could be possible moving the PrivateKey from our webserver 
certificate to our Network sensor machine.
I was looking for any way to do that, but im still thinking about it isnt 
possible....

I know that there isnt any option in ISS realsecure Site Protector to 
import certificates to decrypt https traffic.
Is there anyone who know something about this ?? am i wrong and is 
possible to sniffing https traffic ??

Thanks in advance.


Un Saludo / Best Regards.

-------------------------------------------------
Miguel Angel Garc�a Rivas
[EMAIL PROTECTED]
Network Security Specialist
Phone:     91 397 9793
Mobile:    +34.609670443
-------------------------------------------------
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 
Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 
Barfield Road, Atlanta, Georgia, USA 30328.

Reply via email to