[WEB SECURITY] SSL does not = a secure website

Jos josmtx at gmail.com
Tue Mar 28 10:13:56 EST 2006


What about man in the middle devices such as proxies? I have several devices
on my network that encrypt and decrypt SSL on the fly and can be used to
monitor what is sent to and an ECommerce site.

The one device {BlueCoat} even has a specialized card for this so it doesn't
take from the central processor. We use it for forward proxy, and also
reverse proxy in front of our ECommerce site, so if I wanted to I could read
the actual packet payload in the clear without either end knowing the data
has been decrypted.

We also have several sniffers with cards in them to do the same thing, after
all, the sniffers and BlueCoat see the entire conversations so know what the
encryption is.

You need to tell all the truth. Getting access to clear data (otherwise SSL
protected) with a reverse proxy is only possible if you import your server
private key in it. If you do that, well, you better know what you are doing.
Getting access to clear data with a forward proxy is not possible for sites
that you do not own, since you need the destination site's private key. You
could try a man in the middle attack at the proxy level, and this might work
since users do not understand security warning about certifiates not being
from a trusted authority (well, they tend to be educated the hard way).

Jocelyn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060328/72c39330/attachment.html>


More information about the websecurity mailing list