Hi As all other said, it�s not possible but you can take a 2 layer approach. You can put another web server which will receive and decrypt ssl (this will have the certificate) and redirect all DECRYPTED traffic to the real app server.
With this approach you can dedicate one server only to decrypt and take off some load from the app server. Just put your sensor in the middle. It also can confuse any intrusion attemp with the server behavior, because you can mix servers (apache decrypts and iis is the app, or any other mix). Only disadvantage is you need another server!!! Some IPS like HIVE from sentryware can do this kind of things (decryption) and then you just put your sensor in the middle. Kind regards _______________________ Luis Javier P�rez CISSP, OPSA BS7799 Auditor Scitum S.A. de C.V. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergey V Soldatov Sent: Thursday, May 27, 2004 3:39 PM To: Miguel Angel Garcia Rivas <miguel.gr Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ISSForum] Sniffing https traffic ? Yes, It is possible to sniff SSL/TLS traffic if you have your own CA and have ability to install its certificates to clients browser. This attack is known as "Man-In-The-Middle" (MITM) which enable you to intercept data within the SSL tunnel. But, as I know (please, correct me if I am mistaken), RNE isn't able to capture SSL traffic even if target server's sertificate is on RNE machine. Thanks. --- Best regards, Sergey V. Soldatov. tel/fax +7 095 745 89 50 (2663) Miguel Angel Garcia Rivas <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: [ISSForum] Sniffing https traffic ? 26.05.2004 14:56 Hello all. Is there any way to analyze HTTPs traffic with a network sensor ? I told to my enterprise engineers that it isnt possible, but they insist that could be possible moving the PrivateKey from our webserver certificate to our Network sensor machine. I was looking for any way to do that, but im still thinking about it isnt possible.... I know that there isnt any option in ISS realsecure Site Protector to import certificates to decrypt https traffic. Is there anyone who know something about this ?? am i wrong and is possible to sniffing https traffic ?? Thanks in advance. Un Saludo / Best Regards. ------------------------------------------------- Miguel Angel Garc�a Rivas [EMAIL PROTECTED] Network Security Specialist Phone: 91 397 9793 Mobile: +34.609670443 ------------------------------------------------- _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
