On Tue, Mar 22, 2011 at 5:22 PM, Adam Thompson <[email protected]> wrote: > > Some commercial firewalls (Fortigate, most notably) claim to filter HTTPS, > I'm still a bit unclear on how they manage to break SSL that thoroughly > even with what amounts to a MitM attack... >
The way those in general work (not sure on Fortigate specifically) is they MITM HTTPS as a proxy, you have to install a certificate on all the clients that it uses so they trust the forged certs it provides to the internal clients. There are two HTTPS connections, one from client to the firewall, one from the firewall to the actual site. No open source equivalent that I've seen or heard of. OpenDNS or other DNS blocking/modification such as via the DNS forwarder is generally the easiest way to control HTTPS by domain, and make sure nobody can use other DNS servers. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
