On Thursday 07 September 2006 18:28, Jakob Curdes wrote: > several months ago we had a lengthy discussion here about the prevention > of ssl tunneling through a http proxy. The conclusion was that to avid > this type of misuse which can undermine your entire security strategy > you need to inspect the ssl content. Definitely. People will play tricks on you for sure otherwise. Guess how many SSH servers run on port 443... > I just sutmbled on the commercial > product "WebWasher" from Securecomputing Inc. Does anybody have > experience with this or similar products? Yes, we are running WebWasher for 5,500 users. While the previous versions were a bit unstable the current 5.x versions are working smoothly. The SSL scanner they developed works like a charm. > Can it be integrated in a linux-based squid / iptables system (there is > a linux version but no technical details)? Is there any open source > program to achieve the same thing ? I don't know any free SSL scanner. We are using the WebWasher for much more than just SSL scanning anyway. Squid isn't sufficient at all for enforcing a corporate security policy. This may change once large companies will stop using crap like Windows and especially the Internet Explorer. We use Squid and WebWasher in a proxy chain though because WebWasher is weak at ACLs. Squid has an unmatched flexibility in terms of ACLs and is obviously a cache - what WebWasher isn't. You could as well try to use both through an ICAP connection since WebWasher works both as a HTTP/HTTPS/FTP proxy and as an ICAP server. Enough advertisement. :) Cheers Christoph