From: Christoph Puppe (puppe@hisolutions.com)
Date: Tue May 17 2005 - 09:34:16 EDT
Henderson, Dennis K. schrieb:
> It seems like he was looking for information on how to prevent this.
The most thorough way to prevent proxy abuses, that use the CONNECT
feature to simulate valid HTTPS traffic, is breaking up all this
connections, decrypted and have them scrutinized with your normal content
security tool. The Proxy acts like a man in the middle attacker, it get's
the HTTPS connection, produces a certificate that matches the site beeing
requested and presents this to the client. The client agrees on a
session-key with the proxy and starts sending requests. The proxy pipes
this requests through some logic to determine if this is an OK request,
most firewalls and CS-Tools will do this for you. Then the proxy opens a
new connection to the site requested, checks the certificate and sends the
requests. The results are processed likewise.
Sounds complicated? It's a little more challenging than a simple proxy
and the clients all need to have a new Root-CA-Certificate, that is used by
the proxy to sign the fake-certificates. Works fine. Keeps the tunnels
closed _and_ you get content security for https connections. No more
viruses from Web-Mail accounts that use https.
Of course, setting the firewall so, that the proxy may only connect to
80,443,8080 and other well known http/s ports should be done. Monitoring
logfiles is a good idea as well.
-- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT