Tunneling through hostile proxy
Ben Laurie
ben at algroup.co.uk
Tue Jul 23 13:41:34 PDT 2002
Adam Back wrote:
> On Tue, Jul 23, 2002 at 06:11:04PM +0000, Jason Holt wrote:
>
>> The default behavior for an SSL proxy is to pass the encrypted bytes
>>back and forth, allowing you to connect all the way to the other server.
>
>
> This isn't just the default behavior; it's the only defined behavior
> right?
>
>
>>However, it is possible for the proxy to have its own CA which has
>>been added to your browser. Then it acts as a man in the middle and
>>pretends to be the remote host to you, and vice versa. In that
>>case, it works as you describe, watching the data during its interim
>>decryption.
>
>
> While it's _possible_ to do this, I've never heard of a server hosted
> application that advertises that it's doing this. I would think it
> would be quite hard to get a CA to issue you a certificate if this is
> what you intended to do with it (act as a general MITM on SSL
> connections you proxy).
Errr - its tricky anyway, coz the cert has to match the final
destination, and, by definition almost, that can't be the proxy.
I believe its pretty common for server farms to use SSL-enabled reverse
proxies where the SSL terminates at the proxy. Different scenario, though.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the cypherpunks-legacy
mailing list