On 5/23/07, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message news:1179939625.31121.48.camel@xxxxxxxxxxxxxxxxxxxxxx >Most isn't actually using SSL, so a IDS system looking for odd traffic >in CONNECT requests will trap many of them (but not all).
Any chance of implementing basic "Is this CONNECT session really SSL?" functionality in Squid?
Correct. But I am specifically interested in the bad guys which use SSL.
I recall some (recent?) research on using Netflow and/or Argus to identify unusual patterns of traffic flow. Normal HTTP inside of SSL produces a different pattern of query->response packets than does a remote access tunnel, this can be detected by old school "traffic analysis". Another option is to route SSL through a commercial product which does true SSL/TLS "interception", terminating the crypto in the analysis box and then re-establishing a new SSL session to the Internet. This has *huge* implications for privacy, HIPAA, etc. I've spoken with Bluecoat, Radware, Checkpoint, and others about products in this space, but the whole idea gives me the willies. Kevin
