From: Joachim Schipper (j.schipper@math.uu.nl)
Date: Wed May 18 2005 - 07:25:49 EDT
On Tue, May 17, 2005 at 03:34:16PM +0200, Christoph Puppe wrote:
> Henderson, Dennis K. schrieb:
>
> > It seems like he was looking for information on how to prevent this.
>
> The most thorough way to prevent proxy abuses, that use the CONNECT
> feature to simulate valid HTTPS traffic, is breaking up all this
> connections, decrypted and have them scrutinized with your normal content
> security tool. The Proxy acts like a man in the middle attacker, it get's
> the HTTPS connection, produces a certificate that matches the site beeing
> requested and presents this to the client. The client agrees on a
> session-key with the proxy and starts sending requests. The proxy pipes
> this requests through some logic to determine if this is an OK request,
> most firewalls and CS-Tools will do this for you. Then the proxy opens a
> new connection to the site requested, checks the certificate and sends the
> requests. The results are processed likewise.
>
> Sounds complicated? It's a little more challenging than a simple proxy
> and the clients all need to have a new Root-CA-Certificate, that is used by
> the proxy to sign the fake-certificates. Works fine. Keeps the tunnels
> closed _and_ you get content security for https connections. No more
> viruses from Web-Mail accounts that use https.
>
> Of course, setting the firewall so, that the proxy may only connect to
> 80,443,8080 and other well known http/s ports should be done. Monitoring
> logfiles is a good idea as well.
The problem, of course, being that this makes verification of the remote
end of the connection impossible as well as compromising privacy for the
parties behind the firewall.
So this will also make HTTPS less useful for the user. There is a trade
off here...
Joachim
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:21 EDT