Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Hi,
I'm currently looking into intercepting SSL traffic at our company to prevent data leakage and to protect against malware / botnets that use HTTPs to communicate with their command center. I came across WebWasher in the following blog post and was wondering if there was an open source solution that would give me similar results:
* intercepts and deciphers the SSL connection while it's outgoing
* inspect the unencrypted traffic. If it's okay, it regenerates an SSL connection to the target system
* to keep it transparent to users, it generates a certificate with the CN of the target site and signs it with the organization's CA which is trusted by user's web browsers.
Yes, you can filter all things to use "your" SSL certificate but this will break quite a lot of things that like to use SSL certificates - basically anything that properly verifies the certificate chain - some browsers will go ape at tricks like this, and some secure update mechanisms etc. will stop working. Not to mention that lots of things use SSL as a "wrapper" around their usual communications, so you may find that a lot of stuff like some VPN's, update tools, etc. will just freak out at such shenanigans.
Additionally, that's a LOT of CPU overhead on the middle-man server.
Much easier and simpler is to block SSL connections entirely - this means layer-7 packet classifiers etc. and a black/whitelist of sites that are "allowed". That way anything that tries to use SSL to connect anywhere will be blocked unless you've specifically allowed the source/destination/user to do so. That stops your "information leakage" problem without leaving yourself liable to all sorts of problems that come from trying to proxy secure traffic.
Not to mention that it's a highly-suspect policy to routinely intercept and read all secure communications, whether the users are warned or not.
If i may add some advice as i just got done demoing the webwasher along with many other product that do SSL.
The current products that do SSL interception good are Ironport S650, Webwasher, and Bluecoat SG. With that said they all run about $25-$30K each.
The cert does not uses the all the information from the target site. You have to put a trusted Cert on the box. I have an entire 20 page report that i did on all the different products for work. I will try and scrub the report of company info and share it with everyone.
The Bluecoat quote I received yesterday was $7,000.00 for the Appliance. But we are a small environment and licensing is user based so that cost could increase rather rapidly. Just didn't want anyone to think that $25K was always the starting point for these appliances.
That being said I would LOVE to see that report you put together slimm609, as I am preparing to purchase one of these units in the very near future.
I found this thread very interesting but i am somehow confused, perhaps someone can explain.
Doesn't SSL use asymmetric encryption? This means that the client uses the the server's public key to encrypt and data can only be decrypted with the server's private public. Is is possible to decrypt without the private key?
Thank you
later: hmm it seems that only the authentication is done with public/private keys, the data transfer is encrypted using symmetric encryption - the shared secret
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
