Network sensor does not currently have the ability to analyze traffic encapsulated within HTTPS, although it does recognize certain attacks against the HTTPS protocol itself.
Although I haven't tried it myself, I know of no reason why it would be impossible for a network device (such as network sensor) to decrypt HTTPS traffic from the network if it had the server's private key. However, performance would not be very good as decrypting the traffic would be very expensive. Generally, we prefer to plug sensors directly into the IIS or Apache servers. Both servers provide interfaces that allow a sensor to view the decrypted HTTP requests. This tends to be more efficient and can eliminate the overhead of dealing with certain evasion techniques. Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Miguel Angel Garcia Rivas Sent: Wednesday, May 26, 2004 6:56 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Sniffing https traffic ? Hello all. Is there any way to analyze HTTPs traffic with a network sensor ? I told to my enterprise engineers that it isnt possible, but they insist that could be possible moving the PrivateKey from our webserver certificate to our Network sensor machine. I was looking for any way to do that, but im still thinking about it isnt possible.... I know that there isnt any option in ISS realsecure Site Protector to import certificates to decrypt https traffic. Is there anyone who know something about this ?? am i wrong and is possible to sniffing https traffic ?? Thanks in advance. Un Saludo / Best Regards. ------------------------------------------------- Miguel Angel Garc�a Rivas [EMAIL PROTECTED] Network Security Specialist Phone: 91 397 9793 Mobile: +34.609670443 ------------------------------------------------- _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
