As we all know, SSL (HTTPS) connections are encrypted from the client computer to the server, using a symmetric encryption key that is established at the beginning of the session and is only known to these two computers. Therefore, any SSL traffic that passes through a typical proxy server cannot be read or analyzed. In highly secure environments, this opens a hole through the proxy server. Any program, including a malicious one, can pass through the firewall freely. Filtering programs designed to intercept sensitive or proprietary information cannot do so if the information is encrypted.

An SSL (HTTPS) proxy solves this issue by intercepting the initial SSL connection attempt and establishing an SSL tunnel between itself and the client computer on the internal LAN and then establishing another SSL tunnel to the server that the client wants to connect to.

In this manner, the SSL packets can be decrypted, analyzed, modified or blocked if necessary, re-encrypted, and then sent on. This is very much analogous to what happens at a HTTP proxy, but it is more complicated, more resource-intensive, and has security implications for the internal clients.

• All client computers on the internal network must be configured to accept a certificate from the SSL proxy as a trusted substitute for any other certificate requested.

• The SSL security model has essentially been broken. Anyone with access to the SSL proxy can intercept information in an unencrypted (plaintext) form and read it.

This process can be fairly transparent to the user, but it is possible to detect an SSL proxy. Clicking the lock icon in either Firefox of IE allows you to view the certificate being used for an SSL connection. If the certificate is for an entity other than the one you requested to connect to, your connection is going through an SSL proxy.

Because establishing and maintaining an SSL proxy involves a considerable expense, SSL proxies are normally only used in corporate settings or where security requirements are high. An example of a commercially available SSL proxy can be found at here.

Next: Firewall traversal and NAT traversal

Dennis H in West Virginia, US

January 17, 2009