Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21
  1. #11
    Master Untangler JEllingson's Avatar
    Join Date
    Jan 2008
    Location
    Warner Robins, GA
    Posts
    342

    Default

    Untangle can't scan HTTPS traffic as it is encrypted between the server and client. A good reason you should still have desktop antivirus as well.

  2. #12
    Newbie
    Join Date
    Jun 2008
    Posts
    7

    Default

    I would sggest the possible, to import a CA certificate and key into a untangle rack called SSL Scanner.

    When any webrequest for a SSL site comes in, the Untangle will fetch the certificate from the remote SSL site, extract the CN, and store it in a variable.

    The Untangle then creates a CSR, and puts the CN from the remote site into the CSR, and then signs the CSR using the imported CA key.

    the result will be a certificate for the remote site signed with the uploaded CA key.

    Then it will send this certificate to the client. The traffic then pass unencrypted through all racks that filter or scan the HTTP traffic, and then in the end, it will be send out using the remote site's certificate.

    The result will be that the end users will get a certificate warning if he dont import the CA certificate into their browsers, but their SSL traffic will be scanned for viruses aswell.

    The connection to untangle will look like this then:
    Client => Untangle SSL scanner -> Virus Blocker -> Spy blocker -> And so on.... -> Last HTTP rack => Internet

    Where => is encrypted and -> is not encrypted.

  3. #13
    Master Untangler JEllingson's Avatar
    Join Date
    Jan 2008
    Location
    Warner Robins, GA
    Posts
    342

    Default

    You want to have an intentional "Man-in-the-middle" situation. Well... that could be tough.

    You'll have to add the Untangle root CA cert on to every machine that will pass HTTPS though Untangle. That is possible with some time at each machine in your home, but not possible if you are using Untangle to protect YOUR web server (as you'll have to get everyone in the world using your site to trust your Untangle as a root CA).

    It would certainly be an interesting challange to the Untangle developers I'm sure.

  4. #14
    Newbie
    Join Date
    Jun 2008
    Posts
    7

    Default

    Yes, but most people use Untangle to protect their clients.

    but it could be some way to install the certificate automatically, and some user-friendly instructions that tell the user to press "YES" on the confirm installation of a Certificate Authority box.

    Have a look at this page:
    http://www.cacert.org/index.php?id=17

    It will even detect if you press "NO" on the warning dialog that wants to install a certificate.

    So you could simply have a Captive portal when SSL Scanner is enabled, that when users begin surfing the net, he will see that box, and have to push yes, else he dosent get any internet access.

    (Of course technical users can bypass the certificate install, but he will have annoying warnings all the time)

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    Umm no...

    If you make UT scan SSL enabled sessions you are basically saying that the UT device is opening that communication to the world. I understand the need for the feature, but you are opening a legal can of worms you really don't want to get into. Trust me on this, SSL scanning is a BAD thing. It completely destroys your chain of authority.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #16
    Newbie
    Join Date
    Jun 2008
    Posts
    7

    Default

    Some competitors do SSL scanning.
    Have a look at Bluecoat Proxy for example.
    read here: http://www.bluecoat.de/downloads/whi...BCS_SSL_wp.pdf

    Quote Originally Posted by Bluecoat SSL whitepaper
    Lack of Protection
    Information security threats increasingly use SSL to propagate, hide, and increase effectiveness.
    Some of these threats (viruses, worms, Trojans) use SSL inadvertently – via Web mail (e.g., Gmail
    over HTTPS – which does not have virus scanning) or collaborative extranet applications.
    Threats can also encrypt with SSL deliberately – some examples:
    • “Secured” phishing, where the attack is performed over SSL to escape detection, and to increase the
    appearance of authenticity
    • “Secured” spyware or “researchware” (e.g., Marketscore), where all user traffic is run through
    Marketscore’s servers via SSL
    • Guardster, s-tunnel, JAP and other anonymizing services designed to circumvent controls.
    • Viruses and worms that leverage encryption have been predicted, and remain on the horizon
    For most organizations, the information security group is chartered to manage risk – which they
    cannot do if a significant percentage of user/application communications is invisible to them.
    Also WebWasher are doing it: http://www.clearview.co.uk/docs/Webw...SSLscan-PO.pdf
    And Cymphonix are doing it too: http://www.cymphonix.com/UserFiles/D...ent_Filter.pdf

    So I think its a essential feature if Untangle should be comparable to these companies. Maybe the SSL scanning feature could be a PRO feature in Untange, but I dont think so since many home users would have use of the SSL scanning feature too.

    And it does not open the communication to the world. The traffic is only unencrypted *INSIDE* the Untangle box while its scanned by the policy and AV engine.

    And it does not destroy the chain of authority. It just replaces the server certificate with a Untangle internal certificate, and that authority is imported in browser, so no problem with trust. User wont get that pesky dialog about invalid SSL certificate.
    Last edited by sebastian; 06-26-2008 at 08:49 PM.

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    But legally it IS a destruction of the chain of authority. Trust me, had a customer with a blue coat in a court room on that one. Saw the nightmare first hand, plus, all that certificate swapping and forcing the security appliance to reencrypt the session but a massive load on the poor thing. Then again, I was working with a mortgage company back when real estate is going nuts... you have no idea how may ssl sessions a team of 70 loan officers can generate when they are running credit checks...

    I understand where you are coming from but this feature isn't really a feature. It is a nightmare. I suppose if UT wants to be complete it will have to include it. I just hope they have an option to turn it off. I want nothing more to do with it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Newbie
    Join Date
    Jun 2008
    Posts
    7

    Default

    As I said the feature is supposed to be a separate rack appliance, that you can simply just select to not to mount in untangle, or you can mount it but turn it off with the power button.
    The rack could be called "SSL Scanner". So its just a extra rack that someone could select to use, or select not to use. Up to each untangle user to decide.

    In most countries, for example here in sweden, laws does not differ between cleartext traffic and encrypted traffic. So if its illegal in some case to scan traffic, then its illegal to scan both cleartext and encrypted traffic. If its legal to scan traffic, then its ok to scan both encrypted and cleartext traffic.

    I dont know which country you live in, but since its not about logging raw traffic data, but rather its about security scanning of traffic to prevent viruses and malicious data to enter a network owned by you, I can't see any criminal intent with the SSL scanning, since the scanned network is yours.

  9. #19
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,498

    Default

    I'm in the US. And the law is rather strange when you get into chain of custody. Basically if you want to be able to use a system in the legal arena you have to be able to prove that there is no system involved with the communication that can intelligently read that communication other than the source and the endpoint. By sticking an SSL filter in the middle you've created a man in the middle. This device can secure its connection all it wants but the fact remains that the traffic has to be decrypted, the instant that happens the data is legally compromised and legally you can no longer say that only this client and this server had access. It makes prosecuting things based on that connection data difficult.

    Now all this can be thrown out the window if any only if the client knows about said intrusion. It is a lot like civilian wiretapping which generally speaking is perfectly legal as long as both parties in on the conversation know the recording is taking place. So for US law to work in a UT customer's favor, UT needs a captive portal feature before SSL insertion to allow the network admin to show the court that a mechanism is in place to advice the user about this recording process.

    Whether or not the packets are logged is irrelevant. The decryption process still happens so you tread it like a logging situation and then you can do whatever you want. Still, my customer lost a case due to this technology and I'm not entirely certain how exactly to correct the legal situation around this. I am no lawyer I can just relate the specific experience I had with this one customer.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #20
    Newbie
    Join Date
    Jun 2008
    Posts
    7

    Default

    I dont think SSL decryption applies to wiretapping laws even in US.
    Since phone traffic is non-encrypted, this would mean that it would be legal to wiretap phone traffic in the US.

    In sweden, the wiretapping laws applies to BOTH PLAINTEXT and ENCRYPTED traffic. But the wiretapping law only applies if you in some way log the traffic or viewing the traffic in realtime, and logging/viewing the source/destination of the traffic is enough, its considered wiretapping. So in fact a firewall log, the log feature of IPS, and the log feature of the content scanning module is wiretapping.

    And logging/viewing the encrypted traffic without decrypting it is considered wiretapping by Swedish law too.
    Since Both encrypted and plaintext traffic are legally the same thing here in sweden.

    But: only the subscriber (owner) of the connection is needed to be informed, if any wiretapping takes place.

    Since in most cases, the system administrator of the untangle box is also owning the connection, this means that for a legal wiretapping, the wiretapper needs to inform the owner of the connection which means that the System administrator of the untangle box should inform itself of the wiretapping.
    And since the system administrator know that wiretapping takes place if he activates the firewall log or using the log feature of the IPS, or logging rejected websites in the content filter module, he has effectively informed itself of the wiretapping by just wiretapping it.

    If for example a boss of a company is owning the connection, and a employed system administrator sets up a untangle box and activate the logging modules, he is required to notify the boss of the wiretapping, at least here in sweden.
    -------------------------------------------------------
    As I said, the SSL Scanning should be a optional feature, so if you are having legal problems with SSL Scanning, just don't turn it on.

    just "encryption" is very very hard to define in the law. Is the traffic encrypted If I compress it? Is the traffic encrypted if I apply ROT-13 on it? If the traffic considered encrypted If I XOR-encrypt it with the 2 bit key "01"?

    All this makes occasional viewing of the traffic difficult, but all these "encryption" technologies I describe above is easly bypassed or cracked.

    Its the same with the data intrusion laws in the sweden. The data intrusion laws in sweden dosent require password protection or any protection at all.
    Since IT security is hard to define at all. Its very hard to legally define IT security.

    Visiting a website found in google can be enough to be prosecuted for data intrusion in sweden. If the website is not intended for me, lets say a webpage only for paying members in a club, I commit data intrusion if I visit that webpage, and im not member of that club.
    Last edited by sebastian; 06-29-2008 at 05:24 AM.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2