×

Loading...
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。

@

That's a interesting idea, never thought about https could be decrypted.

holdon(again)
( maybe FBI can, but certainly not some small companies . After googled web washer, I think it's not that difficult;

They don't really decrypt https, they just cut it to two pieces: route all the https traffic to web washer server, web washer server then act as a browser to resend the request to real server; then send back the response to real browser.

the problem is the the web washer server can't fake the real ssl certificate, so the end user will see a certificate different than the https website's real certificate. probably all the company's internal machine need to install a new trusted root certificate or something?

there is another application apr-https probably do the same thing.

So what you can do is access one https website from home and write all the certificate infomation, do the same in your company and prepare the certificate, if it's different, then your company really have a strong internet access policy and don't try anything not allowed.
(#3996815@0)
Last Updated: 2007-10-17
This post has been archived. It cannot be replied.
Report

Replies, comments and Discussions:

  • 工作学习 / 科技领域杂谈 / 上班累时想偷偷上下网,但不想留下任何的记录和让管理员查到,有什么好的办法吗? 光清除History是没用的吧?象还有什么cookie之类的,请高手指点,小弟不胜感激. -jjjmonkey(monkey); 2007-10-1 (#3965809@0)
    • 找个U盘250mb的就可以了, 用FirefoxPortable, 插上U盘, 在U盘上运行Firefox, 还可以改全部显示为黑白, 绝对不会吸别人眼球. -loneliman(孤独人); 2007-10-1 (#3965868@0)
      • 别瞎折腾了,管理员不看你屏幕就知道你干嘛。一般公司允许上班适当上上无关网站,如果绝对不允许,就别动心眼了。 -duoshaosuanshao(不多也); 2007-10-1 (#3965886@0)
        • 先和网管套磁. -loneliman(孤独人); 2007-10-1 (#3965902@0)
    • 直接问你们的网管,有时候他们会告诉你的。 -pnpn(双飞雁); 2007-10-6 (#3975816@0)
    • 他要查你,根本就不需要看你的机器。代理服务器上有你连接到任何站点的记录。还可以在网管设备上截取你的来往数据包。理论上你进出的内容都可以解密后看到 -bigeyedog(小心使得万年船); 2007-10-15 (#3992635@0)
      • "内容" except HTTPs traffic. -liquid(avaya); 2007-10-15 (#3992940@0)
      • 显然你的理论不对。连dns lookup都可以通过ssh tunneling -galactica(掂花狂笑); 2007-10-15 (#3993528@0)
        • 通过工具可以在router上截取任何一个ip包,甚至任何一个的bite,通过对数据解密就可以知道内容了 举个例子,有cisco个叫netxray的工具,可以直观的看到任何一个lan-lan或lan-wan连接,以及传输了多少数据,不管你用什么方法连接 -bigeyedog(小心使得万年船); 2007-10-16 (#3994779@0)
          • You can only see the raw data of https/ssh traffic, there is no way to decrypt them. -liquid(avaya); 2007-10-16 (#3994907@0)
            • Actually some web filters can unencrypt https traffic such as Web Washer -bluejl(bluejl); 2007-10-16 (#3995655@0)
              • decrypt, buddy! -001isbetter(_); 2007-10-16 (#3996057@0)
                • same thing, brother! -bluejl(bluejl); 2007-10-17 (#3997034@0)
              • How does it work? How does it get the session key? Any example? -liquid(avaya); 2007-10-16 (#3996518@0)
                • That's a interesting idea, never thought about https could be decrypted. -holdon(again); 2007-10-17 {992} (#3996815@0)
                  ( maybe FBI can, but certainly not some small companies . After googled web washer, I think it's not that difficult;

                  They don't really decrypt https, they just cut it to two pieces: route all the https traffic to web washer server, web washer server then act as a browser to resend the request to real server; then send back the response to real browser.

                  the problem is the the web washer server can't fake the real ssl certificate, so the end user will see a certificate different than the https website's real certificate. probably all the company's internal machine need to install a new trusted root certificate or something?

                  there is another application apr-https probably do the same thing.

                  So what you can do is access one https website from home and write all the certificate infomation, do the same in your company and prepare the certificate, if it's different, then your company really have a strong internet access policy and don't try anything not allowed.
                  • This is called phishing, not decrypting https, and cannot handle ssh tenelling. -liquid(avaya); 2007-10-17 (#3996829@0)
                    • Generally SSH outgoing is blocked by company firewall,company is only interested in employees' web access. -bluejl(bluejl); 2007-10-17 (#3997040@0)
                      • SSH tunneling is specially used to get through corporate firewall, like VPN, it can provide secured connection between any computers without middle man attack (SSH-2). -liquid(avaya); 2007-10-17 (#3997094@0)
                        • your company doesn't have good firewall policy, SSH and VPN shouldn't go through company firewall -bluejl(bluejl); 2007-10-17 (#3997161@0)
                          • My company is a security company and VPN is the official remote connection method. -liquid(avaya); 2007-10-17 (#3997214@0)
                            • IT company is different, you may need SSH or VPN to clients. For non-IT company whith restrict firewall policy, only limit and necessary outgoing access ports are open. -bluejl(bluejl); 2007-10-17 (#3997303@0)
                              • As long as corporate firewall allows certain ports (like 80, 443 etc), you can configure the tunneling run through it. -liquid(avaya); 2007-10-17 (#3997344@0)
                                • IPS or IDS will find it. IPS and IDS can look deeper than firewall and know you are tunneling other traffic into normal http/https, depends on IPS policy, you maybe blocked. -bluejl(bluejl); 2007-10-17 (#3997369@0)
                                  • IPS needs to know the content of the packets (which are encrypted in case of https/ssh) to do filtering and doesn't work here. We have built-in IPS in our products. -liquid(avaya); 2007-10-17 (#3997464@0)
                • yes, web washer send a fake cert to browser, user won't notice it. -bluejl(bluejl); 2007-10-17 {301} (#3997029@0)
                  through Windows group policy, web washer can be pushed as a root CA into all company computers, users won't see any cert warning, everything is transparent to end users. This is not really decrypting https session, but the result is same, company will see your data in https session, so be careful!!!
                  • I don't believe Company can push fake certificates into root CA and passes validation, do you have any proof of this? e.g. make a certificate for google.com and make it in the chain under VeriSign? -liquid(avaya); 2007-10-17 (#3997080@0)
                    • we are using web washer. about cert, web washer will act as CA and issue cert, -bluejl(bluejl); 2007-10-17 {391} (#3997155@0)
                      it is not related to any public CA. as long as your browse trust the cert, there is no warning pop up. as I mention before, windows group policy will push web washer CA into your computer, then your computer will trust any cert issued by Web Washer, your browser will never see real cert from the https site you access. It is not fake cert of the https site, it is a new cert of Web Washer.
                      • I don't believe "your browser will never see real cert from the https site you access". You can always view the certificate used by the remote server and check which CA issued the certificate. -liquid(avaya); 2007-10-17 (#3997223@0)
                        • right. but how many non-IT employees know what is CA and Cert? -bluejl(bluejl); 2007-10-17 (#3997286@0)
                  • employee can easily find out if the comany are using web washer by comparing the certificates though. -holdon(again); 2007-10-17 (#3997252@0)
                    • the point is not CA or Cert, the point is there is a way company can monitor https traffic. -bluejl(bluejl); 2007-10-17 (#3997318@0)
                      • I believe the point here is company can only see https traffic by setting up phishing sites (I believe there is legal issue here) and user will notice it. Do you care about certificate when you use online banking? I do. -liquid(avaya); 2007-10-17 (#3997362@0)
                        • there is not phishing site. Web Washer break one https connection into two, act as proxy. You and I both care cert and CA, but many people don't know what they are. -bluejl(bluejl); 2007-10-17 (#3997381@0)
    • an answer echos for thousands of years: 要想人不知,除非己莫为 -win(秋天的菠菜); 2007-10-16 (#3994793@0)
      • 自己花钱无线上网吧,不过要靠窗才好用。 -sane0898(浪迹ROLIA,一年又一年); 2007-10-16 (#3995359@0)
        • 请问具体怎么操作? -rules(南北); 2007-11-9 (#4049418@0)
          • 这个我知 -duoshaosuanshao(不多也); 2007-11-9 (#4049442@0)
            • 谢谢! -rules(南北); 2007-11-10 (#4049500@0)
            • 这个很好用,我告诉一个同事,他真的去花钱弄了无限上网, 还另外买了一个硬盘, 要用的时候把公司的硬盘抽出来, 然后把自己的硬盘装上, 神不知, 鬼不觉。 -rules(南北); 2007-12-6 (#4104957@0)
    • 这肉联的人就是唧唧歪歪的, 你有胆子就上, 没胆子就别上. 就象搞假驾照, 偷领牛奶金...的一样, 你的一举一动都在别人的眼里, 出来混, 总要还的. -001isbetter(_); 2007-10-16 (#3995405@0)
    • get a second user id and pass word. this is what i am doing. -china-cat(chinacat); 2007-10-19 {72} (#4001354@0)
      i am the "smartest". what i can say about those Professionals.........
    • 设proxy 为 127.0.0.1:xxx, 从ssh tunnel 连到家里,从家里的proxy 上网。 -647i(流浪的步行万里); 2007-12-6 (#4104803@0)
    • 我用remote desktop登陆家里的计算机,从家里的机器上网灌水。网管知道我用remote desktop登陆某一台机器,但是不知道我在干什么 -xiaoliu(我心安处是我家); 2007-12-10 (#4110826@0)

More Topics

  • For those of you, who don’t believe that we have technology to control the weather or cause earth quacks, please watch this video.
  • 美国考古博士生分析激光雷达数据发现失踪的千年玛雅古城
  • Yann LeCun最新公开表示:今年诺贝尔奖颁给AI,是诺奖委员会感到压力的结果,需要承认深度学习的影响。化学奖塞不下更多人,所以只能选了物理, 颁给Hinton和Hopefield勉强合理. 获奖成果玻尔兹曼机和Hopefield网络现在完全无用(completely useless)。
  • Nobel Prize-Winner on AI 'Existential Threat' 辛顿认为我们也许很快就失去对AI的控制。这东西在20年内可能超过人类。
  • CO2 is known as the gas of life according to this Harvard professor - the more CO2 we have the more life there can be on the planet.
    • 枫下论坛主坛工作学习科技领域杂谈