[Dshield] SSL Proxy Cache

[Kevin]

On 5/15/06, Jon R. Kibler <Jon.Kibler at aset.com> wrote:
> We have a client with a need to do content inspection of all information
> sent via HTTPS and other SSL/TLS variants. Anyone know of a commercial
> product that is an SSL Proxy Server that does content caching and allows
> for content inspection? (Something like SQUID for SSL.) Any experiencing
> using such a product?

There are commercial products which will do SSL "interception" proxying.
Examples include Bluecoat, and perhaps Radware and Checkpoint.

TMK, none of these enable caching of the SSL content when used as a
forward proxy for outbound web-browsing.  I see many pitfalls.


> where the SSL proxy decrypts traffic, does content filtering (both directions),
> reencrypts the traffic, and sends it on to its destination.

I would be extremely nervous about deploying SSL proxy as a forward proxy,
in part for the reason given by Shane Castle.

I understand the reasoning behind doing SSL interception just for
content filtering, but even in a corporate, .gov, or .mil situation
where the user may have explicitly or implicitly signed away all of their
privacy rights, there is some expectation that SSL traffic is not going
to be visible to a third party, much less cached.



On 5/15/06, Castle, Shane <scastle at co.boulder.co.us> wrote:
> My understanding of SSL is that an arrangement like this will break it.
> One-half of what SSL is all about, verifying the authenticity
> of the connected SSL server, cannot function in what looks like a
> classic man-in-the-middle attack.

The vendor gives a "trusted" signing key to load on intranet clients.

One of the "cool" things about these (otherwise quite evil) products
is that they can intercept the server certificate and verify it against
the _proxy's_ list of trusted roots and CRLs, and then inspect the
protocol inside the SSL to ensure that it is really HTTP,
and not SSH or MS-RPC or gnutella.

There are many weak clients which do not validate server certificates.

Kevin