OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Security tool for monitoring HTTPS traffic?

najeeb.hatamigsa.gov
Date: Fri Feb 27 2004 - 06:53:30 CST

Glyn,

You mentioned a greate point. some of these people could be hackers trying
to monitor HTTPS Traffice. what he wants to monitor https first of all.
like you said he should have access to Server SSL KEYS.

NH.

                                                                                                                                 
                                                                                                                                 
                    Glyn To: "'John Reilly'" <JReillyeSpatial.com>, "'Thomas Chiverton'"
                    <glyngmoiler. <thomas.chivertonbluefinger.com>
                    com> cc: webappsecsecurityfocus.com, (bcc: Najeeb Hatami/CONTRACTOR/PI/CO/GSA/GOV)
                                         Subject: RE: Security tool for monitoring HTTPS traffic?
                    02/26/2004
                    06:41 PM
                                                                                                                                 
                                                                                                                                 

> > > > Are they products they can look inside HTTPS traffic? Some
> > > > customers doesn't trust HTTPS traffic going inside the company
> > > > over the proxy!
> > >
> > > There is no way to look at the plain text content inside
> > the https traffic
> > > - that would defeat the whole purpose of https.
> >
> > 4 words: Man in the middle.
> >
> > It's perfectly possable to intercept the inital exchange,
> and present
> > the apperence of HTTPS, while evesdropping on the plain text.
>
> Yes, you can do a man in the middle attack - I was thinking
> about passive interception, which is what I thought was being
> asked about (a product to look into any arbitrary https
> stream going through a proxy).
>

Its not clear exactly what we're trying to achieve here.

If you are the provider of the HTTPS server then you presumably have access
to the server SSL keys. There are IDS products(1) that will use the keys
and to monitor the content of HTTPS traffic as they would clear-text
communications. You could use those to monitor/log/manage all requests

Glyn.

(1) Unforutunately I can't remember which product I've seen that does this.
Hopefully it'll job someone's memory on the list.