Re: [Full-Disclosure] SSL Filtering - OFFTOPIC

["Kurt Seifried" <listuser@seifried.org>]

> Now you can buy products off-the-shelf that man-in-the-middle SSL with
> the "new feature" called SSL Filtering; both WebWasher and Secure
> Computing are offering this functionality.

Not new, I remember discussing this years ago, however implementation is
another story.

> In summary, the transparent SSL proxy dynamically issues certificates
> for any SSL server you try to communicate with (e.g. "etrade.com"),
> which allows it to act as though it were the actual server and proxy,
> decrypt, and filter all SSL information from the server. Somehow or
> another, your browser must trust the proxy server's own root CA. Of
> course, your company's security policy will surely require you to do so.

If you control the client to such a degree (being able to force installation
of root authority certificates) then it's a moot point. If however you can
trick the client into installing such a certificate, and maybe fiddle their
DNS server settings at the same time, you have a larger problem. Like the
SWEN virus did.....

Personally I think this is going to be a huge area. Why dick around stealing
credit card numbers/etc when you can simply sieze someone's online
banking/brokering credentials, or a few hundred such accounts oh, just like
Van T. Dinh did:

http://www.theregister.co.uk/content/55/33320.html

$90,000 for the cost of sending someone a small trojan. Not a bad
risk/reward ratio, if you can figure out how to launder the money.

Things will probably get a lot worse before they get well and truly bad, to
say nothing of when they get utterly horrible.

Sort of wish I'd patented this now ("one-click financial fraud"?).

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html