HTTPS and man-in-the-middle - was Re: new message

Eric Christopherson echristopherson at gmail.com
Tue Nov 24 11:20:23 CST 2015


On Mon, Nov 23, 2015 at 12:16 AM, Adrian Stoness <tdk.knight at gmail.com>
wrote:

> Man this has turned in a hackerspace discussion on security
> On Nov 22, 2015 10:18 PM, "Dave Wade" <dave.g4ugm at gmail.com> wrote:
>

And here's today's installment:

Dell has been found to be including an easily cloned root certificate on
its laptops, similar to the Lenovo Superfish debacle:

http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/


>
> > For outbound TMG needs a browser plugin. For inbound its usual to
> terminate
> > the SSL on the TMG firewall and then TMG opens a new SSL session to the
> > backend web server. For this to work TMG needs to have a copy of the
> > certificate including the private key. Wildcard certs are commonly used
> > with TMG but having a FQDN only guarantees the server is under control of
> > the certificate owner. You can have multiple sites on the same server, or
> > have a single site load balanced across multiple servers. SQUID will do
> the
> > same trick, but I have always run squid on the same box as the web farm,
> > but this isn't required...
> > On Nov 23, 2015 5:48 AM, "Toby Thain" <toby at telegraphics.com.au> wrote:
> >
> > > On 2015-11-22 5:25 PM, Mouse wrote:
> > >
> > >> https is supposed to prevent "man in the middle" attacks, provided you
> > >>> enfor$
> > >>>
> > >>
> > >> That was the original theory, as I understand it.
> > >>
> > >> But there are way too many "in most browsers by default" CAs that are
> > >> willing to sell wildcard certs such as can be used for MitM attacks
> > >> without disturbing cert validity checks.  I even recall hearing of
> some
> > >> caching proxy (squid maybe?) that, out of the box, could use such a
> > >>
> > >
> > > Microsoft Forefront TMG maybe?
> > >
> > >
> >
> http://itknowledgeexchange.techtarget.com/itanswers/https-inspection-within-forefront-threat-management-gateway-2010/
> > >
> > > --Toby
> > >
> > >
> > > cert to provide caching for HTTPS connections - they're that common.
> > >> ...
> > >>
> > >> /~\ The ASCII                             Mouse
> > >> \ / Ribbon Campaign
> > >>   X  Against HTML               mouse at rodents-montreal.org
> > >> / \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
> > >>
> > >>
> > >
> >
>



-- 
        Eric Christopherson


More information about the cctalk mailing list