[1593] in cryptography@c2.net mail archive
Re: SSL Proxy discussion
daemon@ATHENA.MIT.EDU (tzeruch@ceddec.com)
Tue Sep 23 13:55:16 1997
Date: Tue, 23 Sep 1997 13:36:56 -0400
From: tzeruch@ceddec.com
To: Adam Shostack <adam@homeport.org>
cc: Cryptography Mail list <cryptography@c2.net>
In-Reply-To: <199709231018.GAA21104@homeport.org>
On Tue, 23 Sep 1997, Adam Shostack wrote:
> I've been having an interesting discussion about proxies and MITM
> tools on Marcus Ranum's new moderated firewall wizards mailing list.
> Im hoping some of the cryptographers here could join and comment on
> the feasability of adding a third party (a firewall proxy) to an SSL
> connection such that the proxy can read traffic, and decide to kill
> the connection, but not to modify the content silently. (Yes, I'm
> leaving a chance that the proxy could modify content, if it announces
> itself as doing so.)
>
> The archive is available on
> http://www.nfr.net/firewall-wizards/mail-archive/1997/Sep/0005.html,
> and the mail list is majordomo@nfr.net
>
> Adam
You would need a digital signature on the content from the source to avoid
the possibility of silent modification.
I run into this with my generic SSL proxy when it is acting like
SafePassage - if it rejects the cert, it has to kill the connection
because I can't "easily" modify the content to simply add the cert
errors, e.g. an "Untrusted CA" banner on top.
The only other possible method I can think of would be running a
browser-as-proxy (e.g. run netscape or lynx on the firewall itself) so you
could see the transaction data - though you could still theoretically
alter things like bitmaps, it would be much harder.
Is it "subscribe firewall-wizards" to the above address?
