>
>Can SSLed HTTP connections be filtered based on URL or
>page content? Is it possible to proxy SSLed connections
>in any form?
Yes you can proxy SSL connections, if you use a non-transparent proxy for
SSL connections (declare it in the browser preferences).
>
>Assuming it is possible to proxy SSLed connections,
>given for example a school setup where one HTTP proxy
>bundles and filters all outbound and inbound traffic: Is
>it possible to a) suppress access to certain URLs and b) to
>filter out for example certain applets or images from
>incoming pages? Which products can do such a thing?
Netscape Proxy server does it. All SSL connections appear as "CONNECT <URL>"
commands. This enables you to apply a filter on the request. You can filter
a whole site, pictures, or every thing you can identify just by looking at
the URL. You cannot filter out applets if you do not know their filenames
though.
>
>Assuming it is possible to proxy SSLed connections: Does
>the user have a choice or is the user notified that the
>connection is being proxied and what are the security
>implications of proxied SSL connections with regard to
>password gathering, faked responses and/or host
>spoofing?
Well the user would know that his connections are proxied whenever there is
a timeout to an external site : the error message would give the name of the
proxy (usually).
As for a choice of using or not the proxy, I don't think the user would have
the choice : a site with an SSL proxy would probably filter any SSL
connection without the proxy.
SSL proxying does not, as far as I know, see the content of what is being
trasferred because it is encrypted. Maybe someone will write an SSL proxy
which will establish an SSL connection with the user and another with the
target server but to my knowledge it has not been done yet.
If the password is transmitted along with the URL then it would indeed be
possible to see the passwords in the proxy logs.
Well, I hope this helps a bit although I'm no SSL expert.
PCW
|
|
