On Thu, 25 Mar 2004, Graham Leggett wrote:
> What you're describing is effectively an SSL man-in-the-middle attack,
> and although you're doing it for useful purposes, it is the wrong way to
> go about this.
I would only describe it as an attack on the known weakness of
certificate handling in current browsers, not on SSL. The problem
is that there is no canonical mapping from hostnames to CAs.
> The correct solution is to set up your own reverse proxy, with your own
> real SSL cert, which can reverse proxy the webmail site. The module you
> described can then be used to virus scan the mail.
This simple is not practical for a large corporation. And
standard security practices would really prefer to have it the
other way round: only sites explicitely excluded from scanning
should be spared the scanning. That's the way we generally handle
security policies for firewalls, why should it be the other way
round for SSL traffic? And there still are many other ways to
download infected stuff.
I think this all boils down to the question: what is more
important for a corporation: individual privacy for employees or
data security for the corporation? An Internet provider or home
user will of course have a different view than the corporate
security officer. Although employees have a right to use the
office phone for private calls, banks usually tape the majority
of phone calls for their own security. What's the difference?
> As a separate exercise, block access to the webmail systems, and inform
> people they must use your reverse proxied website instead in order to
> gain access.
In squid, a simple redirect to the reverse proxied webmail from
the webmail system would do, I guess.
Mit herzlichem Gruss
Andreas Mueller
--
Dr. Andreas Mueller, Beratung und Entwicklung
Bubental 53, CH - 8852 Altendorf
Email: [EMAIL PROTECTED]
Voice: +41 55 4621483 Fax: +41 55 4621485
