Re: HTTPS proxy tool that resigns SSL certs

From: Nathan Keltner (shiftnato@gmail.com)
Date: Tue Jun 06 2006 - 16:20:32 EDT

• Next message: James Fryman: "Re: Penetration Testing a Firewalled Network"
• Previous message: Des Ward: "RE: Some new SSH exploit script?"
• In reply to: Steve Abatangle: "RE: HTTPS proxy tool that resigns SSL certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 6/6/06, Steve Abatangle <stevea@eloan.com> wrote:
> Bluecoat makes a product that does this very thing -- they claim it's the only proxy server (commercial, anyway) that does this. The browser *will* be alerted, but you can either alert the user community to accept the CA cert, or just install the CA cert into the browsers on all workstations.

Regarding alerting the user community, I spoke with someone a while
ago who had been working with a government agency and had seen some
unintended side effects of this approach. Apparently, the government
(or at least this agency) decided they didn't want to pay to have
"authoritative" certs made and didn't go through the hassle of
defining an authoritative server for users on their LANs. As a
result, all of their certs popped up the warning banner for the
client, and they dutifully trained all of their users to just "click
through" without reading the message any time it popped up.

Needless to say, there are dangers in having an entire staff of
computer users who routinely click through those warning messages, so
keep that in mind. User behavior like that is already a problem;
carefully consider whether this would teach bad behavior, and whether
that's worth it.

Regards,
Nathan Keltner

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: James Fryman: "Re: Penetration Testing a Firewalled Network"
• Previous message: Des Ward: "RE: Some new SSH exploit script?"
• In reply to: Steve Abatangle: "RE: HTTPS proxy tool that resigns SSL certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:03 EDT