On Jan 30, 2008 10:16 PM, Kurt Buff <[EMAIL PROTECTED]> wrote: > Not quite - I don't know of any application proxy that actually > does well with all of the verbs, etc., in the HTTP suite, especially > when you throw javascript, xml, activeX controls, etc., etc., etc. at > it.
I don't know why any of that should be relevant. When SSL is tunneled over an HTTP proxy, the client makes the regular connection to the proxy server, and then submits a CONNECT method. The proxy then opens the TCP connection to the specified destination, and gets out of the way. The client then starts SSL like it opened the TCP connection that way from the start. Everything else is part of the SSL payload, and thus encrypted. The proxy can't see any of it, so it can't screw it up, either. The SSL verification just means the proxy watches what is sent over the TCP connection to make sure it looks like an SSL session setup, and drops the connection if it isn't. > I do know of at least one firewall that will decrypt SSL as it > passes through, though, for inspection purposes - of course, that > means some tricky work with certs ... Hmmm... I'm guessing it has you add a local CA certificate to the trusted CA list on all the clients, and then the proxy impersonates whatever SSL site the client is requesting? Wouldn't that break client SSL certificates, though? Even so, I'm kinda curious -- got a link or product name? > ... you have the underlying protocol that's > being tunneled, and if it's not HTTP, then it gets really tricky. *Exactly*. Although, if the goal is just to make sure TCP/443 is only being used for HTTP-over-SSL (and not some arbitrary protocol), it at least makes that much possible. Of course, there's still the possible use of HTTP as a covert channel. I think someone has created an "IP over HTML" proof-of-concept. >> Default deny with whitelisting of SSL sites is one approach, but >> that's an obvious hassle. > > Yes, and I'm nearly ready to go there. Wish I could. Cost/benefit isn't there for us. > I say, let's kill all the users - then we'll have good security, eh? :) The DoD still says the best way to secure a classified system is with the Air Gap(TM) firewall -- don't connect it to a network and you've solved the network attack problem. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
