A proxy is am MITM because it terminates your request for a website, makes its own request to that website then once it receives the content from said website, delivers it to you.An SSL proxy does the same thing for HTTPS based content. It should not be a surprise that corporate devices trust the certificates signed by corporate proxy.
There are many reasons for implementing an SSL Proxy, the primary reason is security. Web-based malware has transitioned almost exclusively to delivery over HTTPS. If the corporation is not inspecting HTTPS traffic for malicious code, then they are ignoring a significant portion of their web traffic, upwards of 40% and growing. This means no URL Filtering, Malware Scanning, Intrusion Prevention or other security measures are applied to almost half of all web traffic.
Still sticking with the security angle is outbound security, whether it is Data Loss Prevention, Botnet Command and Control or other exiting traffic that the company wishes to prevent, you are still only seeing about half of it without SSL inspection.
Typically, SSL proxies have the ability to control what sessions are decrypted and which ones aren't. This is usually tied to a URL Filtering package that identifies the category of website being requested based on URL or URI. Then policy is designed so that requests for banking and health care sites don't get decrypted.
Many security conscious companies do use SSL proxies and unfortunately, many do not. The ones that don't occasionally make the headlines, like Target and Adobe did recently. Sadly for them it wasn't for record breaking profits, it was because of mandatory breach disclosure laws and a security perimeter that is only about 50% effective. While this was bad for Target, it was also bad for the tens of thousands of Target customers who had their private information leaked. And Adobe lost 40Gigs of proprietary source code as well as customer data.
So, if you work for a company that does use SSL proxies, you can be pretty sure the purpose and intent is not to spy on YOU the employee, but to make sure that the company is doing everything it can to protect itself, its customers and even YOU its employee from the criminals who seek to steal information like credit card data, social security numbers, intellectual property and other private data.
And yet, I started reading them as a pre-teen.
I did not then, nor do I feel now, that the three Myth books I referenced are inappropriate for the age group.
Robert Aspirin's Myth Adventures books, the first 3 are:
Another Fine Myth
Myth Conceptions
Myth Directions
Quite funny, lots of pun names and general hilarity.
Terry Pratchett's Disk World novels are also very funny, with lots of "play on word"s to keep a young mind on its toes (so to speak)...
Incidentally, SGI provided the hardware for the Jurassic Park control room, not to mention it was also the hardware platform for the rendering farm. So it's not entirely too far-fetched to presume that the SGI techs assigned to the JP project might have shown someone the "really cool" file manager.
For some reason, many of you are assuming that just because everything has a unique IP address that it must therefore be sitting unprotected on the Internet.
This is an unfounded theory. Many quality security products aleady have support for IPv6, this includes firewalls, IPS, AV gateways and the like. These types of preventive measures are required today with IPv4 and will continue to be required with v6. Moving to v6 does not mean all the script-kiddes and malicious hackers have gone away, security will be as important as ever.
The only hacker activity that will become obsolete will be Enumeration, reconnoitering a network to learn what it's private address space is. Because, we'll all have unique addresses, he won't need to determine what space is inside your firewall.
Of course, the more worrying hacking activities such as probing and attacking will still exist. Therefore security measures will still be required.
The security benefit of NAT devices today is debatable. Yes, they obscure the actual source adress but that's it, and security through obscurity is weak at best. And as mentioned by an earlier poster, NAT breaks a good many things.
Have you tried to use SIP (VoIP protocol) through a NAT device? Be prepared to be frustrated. What about using your IPSec VPN client from behind a NAT device? Some IPSec vendors have methods to make this work (NAT Traversal) but it doesn't work natively. Don't even think about an X Windows client....
I look forward to the day when there will be no need for NAT, but there will always be a need to secure your network.
Slashdot Mirror
A proxy is am MITM because it terminates your request for a website, makes its own request to that website then once it receives the content from said website, delivers it to you.An SSL proxy does the same thing for HTTPS based content. It should not be a surprise that corporate devices trust the certificates signed by corporate proxy.
There are many reasons for implementing an SSL Proxy, the primary reason is security. Web-based malware has transitioned almost exclusively to delivery over HTTPS. If the corporation is not inspecting HTTPS traffic for malicious code, then they are ignoring a significant portion of their web traffic, upwards of 40% and growing. This means no URL Filtering, Malware Scanning, Intrusion Prevention or other security measures are applied to almost half of all web traffic.
Still sticking with the security angle is outbound security, whether it is Data Loss Prevention, Botnet Command and Control or other exiting traffic that the company wishes to prevent, you are still only seeing about half of it without SSL inspection.
Typically, SSL proxies have the ability to control what sessions are decrypted and which ones aren't. This is usually tied to a URL Filtering package that identifies the category of website being requested based on URL or URI. Then policy is designed so that requests for banking and health care sites don't get decrypted.
Many security conscious companies do use SSL proxies and unfortunately, many do not. The ones that don't occasionally make the headlines, like Target and Adobe did recently. Sadly for them it wasn't for record breaking profits, it was because of mandatory breach disclosure laws and a security perimeter that is only about 50% effective. While this was bad for Target, it was also bad for the tens of thousands of Target customers who had their private information leaked. And Adobe lost 40Gigs of proprietary source code as well as customer data.
So, if you work for a company that does use SSL proxies, you can be pretty sure the purpose and intent is not to spy on YOU the employee, but to make sure that the company is doing everything it can to protect itself, its customers and even YOU its employee from the criminals who seek to steal information like credit card data, social security numbers, intellectual property and other private data.
And yet, I started reading them as a pre-teen. I did not then, nor do I feel now, that the three Myth books I referenced are inappropriate for the age group.
Robert Aspirin's Myth Adventures books, the first 3 are: Another Fine Myth Myth Conceptions Myth Directions Quite funny, lots of pun names and general hilarity. Terry Pratchett's Disk World novels are also very funny, with lots of "play on word"s to keep a young mind on its toes (so to speak)...
Incidentally, SGI provided the hardware for the Jurassic Park control room, not to mention it was also the hardware platform for the rendering farm. So it's not entirely too far-fetched to presume that the SGI techs assigned to the JP project might have shown someone the "really cool" file manager.
http://www.vonage.com/corporate/press_releases.php ?PR=2006_05_08_0
They are going IPO and they are reserving stock for customers.
www.vonageipo.com may not be legit, but there is, in fact, mention of it on their site.
Sadly yes, it will use IE extensions to display the html (and associated) code. It is a hardcoded call to IE, not the default browser.
Much like following the HotMail link in MSN Messenger will launch a new IE window, despite having FF set as the default browser.
For some reason, many of you are assuming that just because everything has a unique IP address that it must therefore be sitting unprotected on the Internet.
This is an unfounded theory. Many quality security products aleady have support for IPv6, this includes firewalls, IPS, AV gateways and the like. These types of preventive measures are required today with IPv4 and will continue to be required with v6. Moving to v6 does not mean all the script-kiddes and malicious hackers have gone away, security will be as important as ever.
The only hacker activity that will become obsolete will be Enumeration, reconnoitering a network to learn what it's private address space is. Because, we'll all have unique addresses, he won't need to determine what space is inside your firewall.
Of course, the more worrying hacking activities such as probing and attacking will still exist. Therefore security measures will still be required.
The security benefit of NAT devices today is debatable. Yes, they obscure the actual source adress but that's it, and security through obscurity is weak at best. And as mentioned by an earlier poster, NAT breaks a good many things.
Have you tried to use SIP (VoIP protocol) through a NAT device? Be prepared to be frustrated. What about using your IPSec VPN client from behind a NAT device? Some IPSec vendors have methods to make this work (NAT Traversal) but it doesn't work natively. Don't even think about an X Windows client....
I look forward to the day when there will be no need for NAT, but there will always be a need to secure your network.
This must be true, he article is attributed to the Weekly World News. Everyone knows they are a pillar of integrity in journalism....
It's a pity really, life is much more humorous when you get the joke....