[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ftp-proxy and TLS
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: ftp-proxy and TLS
- From: Toni Mueller <openbsd-misc_(_at_)_oeko_(_dot_)_net>
- Date: Thu, 1 Sep 2005 23:51:25 +0200
On Thu, 01.09.2005 at 19:29:57 +0200, Markus Wernig <markus_(_at_)_wernig_(_dot_)_net> wrote:
> Squid is different. Usually, it doesn't do SSL itself, but just passes
> the connection on.
it does, however, talk SSL to the outside server.
> You might be able to code around that by terminating two distinct
> sessions on the gateway, and have the gateway read the data channel,
I dimly remember reading about devices which proceed like that. While
I agree that these break parts of end-to-end security, they are touted
to put an end to corporate espionage and malware infiltration over
channels where you otherwise have no way of protecting your network (it
would be just too easy to put malware on an SSL-secured site and avoid
any virus scanners etc). I am also a bit undecided about the usefulness
of such devices. Eg. I like to have my borders secured by OpenBSD, but
I also like to have FTP access secured by SSL, thus making
password-sniffing a bit more difficult. Having to chose between no
firewall at the border on the one side and no SSL on the FTP server on
the other is no satisfacory answer.