HTTPS and man-in-the-middle - was Re: new message

Adrian Stoness tdk.knight at gmail.com
Mon Nov 23 00:16:48 CST 2015


Man this has turned in a hackerspace discussion on security
On Nov 22, 2015 10:18 PM, "Dave Wade" <dave.g4ugm at gmail.com> wrote:

> For outbound TMG needs a browser plugin. For inbound its usual to terminate
> the SSL on the TMG firewall and then TMG opens a new SSL session to the
> backend web server. For this to work TMG needs to have a copy of the
> certificate including the private key. Wildcard certs are commonly used
> with TMG but having a FQDN only guarantees the server is under control of
> the certificate owner. You can have multiple sites on the same server, or
> have a single site load balanced across multiple servers. SQUID will do the
> same trick, but I have always run squid on the same box as the web farm,
> but this isn't required...
> On Nov 23, 2015 5:48 AM, "Toby Thain" <toby at telegraphics.com.au> wrote:
>
> > On 2015-11-22 5:25 PM, Mouse wrote:
> >
> >> https is supposed to prevent "man in the middle" attacks, provided you
> >>> enfor$
> >>>
> >>
> >> That was the original theory, as I understand it.
> >>
> >> But there are way too many "in most browsers by default" CAs that are
> >> willing to sell wildcard certs such as can be used for MitM attacks
> >> without disturbing cert validity checks.  I even recall hearing of some
> >> caching proxy (squid maybe?) that, out of the box, could use such a
> >>
> >
> > Microsoft Forefront TMG maybe?
> >
> >
> http://itknowledgeexchange.techtarget.com/itanswers/https-inspection-within-forefront-threat-management-gateway-2010/
> >
> > --Toby
> >
> >
> > cert to provide caching for HTTPS connections - they're that common.
> >> ...
> >>
> >> /~\ The ASCII                             Mouse
> >> \ / Ribbon Campaign
> >>   X  Against HTML               mouse at rodents-montreal.org
> >> / \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
> >>
> >>
> >
>


More information about the cctalk mailing list