[Oisf-users] Decrypt ssl sessions

Peter Manev petermanev at gmail.com
Mon Nov 21 18:01:06 UTC 2011


Hi,
I agree with Shane.
You might want to give Nginx a try.
It is basically a load balancer/reverse proxy (open source, lives on
Linux/Unix/Windows), with ability to use OpenSSL to effectively address the
need for HW Accel.
It is proven to be robust and light (11% of total current websites use it,
including heavyweights like Facebook, Zappos, Groupon, LivingSocial, Hulu,
TechCrunch, Dropbox and WordPress ) - http://nginx.org/
some more info and how tos - http://wiki.nginx.org/Main

Three years ago they did some testing for WordPress -
http://barry.wordpress.com/2008/04/28/load-balancer-update/ - the results
are here.

If you would like to take a look at more open source suggestions for LB/HW
Accl -
http://www.ambitwire.com/lbc.html

Thanks


On Mon, Nov 21, 2011 at 6:47 PM, Shane Anglin <Shane.Anglin at knology.com>wrote:

> In regards to outbound web SSL traffic:
> For performance reasons, it is best to have a hardware SSL accelerator to
> do the MITM decrypting and encrypting... I am unaware of an open source
> project using a GPU for this (would like to hear if there is one though),
> but it should be feasible enough as some password cracker apps can use GPU
> computational power.  There are approaches to doing the SSL interception
> with inline versus side-band (where data is duplicated to another path for
> investigation).   What factors into much of this is if you need to make it
> transparent to the user or not.  The only way to do this transparently is
> to have all the private keys for all the traffic being generated and load
> those onto the SSL interception device... depends on your environment, your
> access to your client's private key stores, internal policies & procedures,
> and whether you trust the SSL interception device with that critical data.
>  Non-transparently, you could employ a proxy and force the users to go
> through it, but you then have to publish a SSL cert for the proxy and
> convince the users to trust that cert or forever receive SSL warnings...
> again, depends on your environment you are supporting and what policies you
> can enforce.  Proxywise, the commercial ones I have used allow you to pass
> the traffic off to another device for investigation via PCAP, etc.
>
> Overall, if you want to decrypt the SSL sessions, you need the private
> keys (a big can of worms) or the ability to intercept the sessions to
> decrypt and encrypt to destination (a proxy and user acceptance and
> maintenance).
>
> Regards,
>
> Shane Anglin     GSEC, GCIH, GPEN
> Knology Broadband, Inc.
>
>
> -----Original Message-----
> From: oisf-users-bounces at openinfosecfoundation.org [mailto:
> oisf-users-bounces at openinfosecfoundation.org] On Behalf Of Martin Holste
> Sent: Monday, November 21, 2011 10:12 AM
> To: Robert Vineyard
> Cc: oisf-users at openinfosecfoundation.org
> Subject: Re: [Oisf-users] Decrypt ssl sessions
>
> Sounds like a great masters thesis for someone...
>
> On Mon, Nov 21, 2011 at 8:49 AM, Robert Vineyard <
> robert.vineyard at oit.gatech.edu> wrote:
> > On 11/21/2011 9:33 AM, carlopmart wrote:
> >>   Maybe it is an off-topic, but afaik suricata doesn't decrypts ssl
> >> sessions, correct?? But, exists some opensource tool that can do it
> >> and pass traffic to suricata to analyze it??
> >
> > I don't think it's off-topic at all, and in fact is a feature that
> > would give Suricata a competitive advantage over many other IDS
> > systems - including Snort.
> >
> > We've observed attackers utilizing encryption to mask their
> > activities, often sending malicious traffic over legitimate HTTPS or
> > SSH channels. This technique is generally successful in allowing them
> > to bypass traditional signature-based IDS setups.
> >
> > There are some commercially-available products that either include SSL
> > decryption or offer it as an add-on, including one from Sourcefire.
> >
> > I think a good first start if there's enough interest in pursuing this
> > type of functionality would be real-time decryption of private
> > key-escrowed legitimate traffic. A number of application-layer "next
> generation"
> > firewalls can do this with minimal additional overhead, particularly
> > considering some of the crypto-acceleration features built in to
> > recent CPUs from Intel and others - never mind the ongoing Suricata CUDA
> development.
> > GPU's could be leveraged for SSL decryption as well...
> >
> > Unfortunately I don't really have much in the way of development
> > resources to offer here, but I may be able to provide testing
> > facilities in our high-traffic university environment where such a
> > feature would be heavily utilized.
> >
> > --
> > Robert Vineyard, CISSP, RHCE
> > Senior Information Security Engineer
> > Georgia Tech Office of Information Technology
> > 404.385.6900 (office/cell) / 404.894.9548 (fax)
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



-- 
Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111121/53a9ed0a/attachment-0002.html>


More information about the Oisf-users mailing list