SSL/TLS passive sniffing
Dirk-Willem van Gulik
dirkx at webweaving.org
Wed Dec 1 04:53:19 EST 2004
On Tue, 30 Nov 2004, Ben Nagy wrote:
> I'm a bumbling crypto enthusiast as a sideline to my other, real, areas of
> security expertise. Recently a discussion came up on firewall-wizards about
> passively sniffing SSL traffic by a third party, using a copy of the server
Access to the private key of the server cert gives you the ability to do
active sniffing and in some subset of cases passive sniffing. Access to
the session key (which requires the right permissions and access to the
httpd server) gives you passive sniffing.
It is not uncommon to set this up for customers in the commercial/banking
sectors to help them comply with certain audit requirements.
Note however that in each case it requires violating the web servers
security realm and/or storing something in two places. So technically it
may make much more sense to plug a module into each webserver itself with
a sufficiently secure agregation backend to accomplish this.
However due to widely varying workflow/bisprocesses at customers I have
found myself doing both.
As a closing note - the attitude of personal towards the confidentiality
of data gathered by IDS and Firewall running departments is often a lot
different than that of those directly resp. for the biz processes due to
their different roles and responsibilities ('everyone is bad' v.s.
'customers are sacret') - which is something you want to take into
account.
Dw.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list