Robert Collins wrote:
> Ah yes, so I did. Whoops. Got those rose coloured glasses on again...
> Joe's absolutely correct here, you can not, and must not intercept SSL
> sessions. If your firewall won't allow them through without them being
> proxied, then don't use interception. In point of fact, don't use
> interception anyway :}.
Fully agreed, and yet I find that we (MARA Systems AB) need to support
interception in our products..
it is a shame that the network driven proxy discovery like WPAD or
similar solutions hasn't got a widespread coverage. If there was a
usable mechanism for discovering proxies and hard to disable for the
causal user (the "off" button hidden somewhere deep and obscure in the
browser preferences) then most of the Interception hacking wouldn't be
required I think.
Interception should play a role at the server endpoint only (if at all),
redefining what the server endpoint is, not in the middle of the network
completely trashing the end-to-end semantics of TCP/IP.
Regards
Henrik
Received on Wed Jan 09 2002 - 16:26:05 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:48 MST