24 Nov
2015
24 Nov
'15
9:20 a.m.
On Mon, Nov 23, 2015 at 12:16 AM, Adrian Stoness <tdk.knight at gmail.com>
wrote:
http://itknowledgeexchange.techtarget.com/itanswers/https-inspection-within…
--
Eric Christopherson
Man this has turned in a hackerspace discussion on
security
On Nov 22, 2015 10:18 PM, "Dave Wade" <dave.g4ugm at gmail.com> wrote:
And here's today's installment:
Dell has been found to be including an easily cloned root certificate on
its laptops, similar to the Lenovo Superfish debacle:
http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-…
For outbound TMG needs a browser plugin. For
inbound its usual to
terminate
the SSL on the TMG firewall and then TMG opens a
new SSL session to the
backend web server. For this to work TMG needs to have a copy of the
certificate including the private key. Wildcard certs are commonly used
with TMG but having a FQDN only guarantees the server is under control of
the certificate owner. You can have multiple sites on the same server, or
have a single site load balanced across multiple servers. SQUID will do
the
same trick, but I have always run squid on the
same box as the web farm,
but this isn't required...
On Nov 23, 2015 5:48 AM, "Toby Thain" <toby at telegraphics.com.au>
wrote:
> On 2015-11-22 5:25 PM, Mouse wrote:
>
>> https is supposed to prevent "man in the middle" attacks, provided
you
>>> enfor$
>>>
>>
>> That was the original theory, as I understand it.
>>
>> But there are way too many "in most browsers by default" CAs that are
>> willing to sell wildcard certs such as can be used for MitM attacks
>> without disturbing cert validity checks. I even recall hearing of
some
caching proxy (squid maybe?) that, out of the box,
could use such a
Microsoft Forefront TMG maybe?
--Toby
cert to provide caching for HTTPS connections - they're that common.
...
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B