On Thu, 5 Aug 2004, Michael Gale wrote:
> So to filter hotmail attachment for viruses to secure the network you
> create a fake CA for all HTTPS request and tell every browser to trust
> this CA.
Yes.
> You have just screwed over all HTTPS security -- with all the IE bugs
> with regards to redirection, fake urls in the address bar and
> everything.
Yes, but intentionally so.
> You have just made it 100 times easier for a hacker to exploit credit
> card information and banking information from all of your internal
> employees I would think.
If you allow access to such sites yes.
Most entities looking into this kind of filtering of https sites do not
at all allow personal banking.
> Unless you are having squid verify ever certificate plus the url it is
> displaying to the client and so on.
Ofcourse Squid must do this. This is why I said the user has no control on
the policy of what quality of the server certificates to accept, it is all
up to the policy defined in the proxy.
> We you think about it if you want to make the network secure why allow
> hotmail access ? Do they need it for work ?? I would think not.
Problem is how to find and block all of them...
Regards
Henrik
Received on Thu Aug 05 2004 - 10:32:19 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:01 MDT