On 11/5/10 4:27 AM, Ben McGinnes wrote:
On 5/11/10 9:39 AM, Ross Walker wrote:
As for the SSL part, you can monitor traffic over it in a couple of ways. For internal services being served out you can have the SSL connection terminate at the gateway and the gateway establish an internal SSL connection to the service. For internal clients connecting to external services I have used SSL inspectors, these basically initiate an SSL connection to the destination, take the certificate, generate a per-destination itself and pass that to the client, basically acting as a man in the middle, as long as the gateway/inspector is a trusted intermediate CA and the subject is preserved then the client doesn't have a problem with it.
I believe this is one of the methods that was looked at to enable ISPs to filter/censor/log SSL connections should the government policies become legislation here. Except for all outbound connections. The rest of us call it a MitM (when used for outbound or between third parties, not in your example).
So if you really want privacy you need to run another layer of encryption end to end with an uncommon cipher?
-- Les Mikesell lesmikesell@gmail.com