The data will eventually be released on SSLFail.com following the conference.
October 1st, 2009, 02:42 PM
SSL has been a sore subject in my organization. We had a pentest done before I was hired and the pentesters had used bot which was emailed to a user and they were tricked to install it. Once installed, it communicated over SSL using a self signed certificate. The answer to fix that was to block access to ALL SSL sites and to permit only those that had been inspected by IT.
As you can imagine, this caused a huge amount of overhead on the network admins as they had to check out every SSL site. All the while, there was no proxy/content inspection for normal HTTP sites and all that traffic was allowed through.
When I saw this was happening, I was amazed that this was their answer. To me, it was just a waste of time. As it turned out, they were using a sonicwall firewall which has SSL control which allows you to block untrusted CAs, weak SSL ciphers, self signed certs, etc. Then just white list their domain if they are ok to use. I setup this feature and implemented a Bluecoat SG Proxy with SSL inspection.
There are several other layers that I've implemented but they have to do with antivirus/firewall and local access, so they are not relevant to this discussion.