asked on
Is This Safe?
Is it safe to allow traffic to / from a specific site to pass through a firewall / proxy unauthenticated? What are the implications of this?
SecurityWeb Applications
Last Comment
yokai
This depends on who controls the proxy server/firewall.
A proxy/firewall can change the data you receive without you knowing about it.
Pages you access can be logged in the proxy server and a copy of everything you sent/receive.
This is safe only if you control or trust who controls the filrewall/proxy.
The only way to avoid this is to access SSL servers which cant be watched by the proxy server.
If you are sending sensitive data thru http without ssl, that can be logged too.
A proxy/firewall can change the data you receive without you knowing about it.
Pages you access can be logged in the proxy server and a copy of everything you sent/receive.
This is safe only if you control or trust who controls the filrewall/proxy.
The only way to avoid this is to access SSL servers which cant be watched by the proxy server.
If you are sending sensitive data thru http without ssl, that can be logged too.
ASKER
Thanks for the replies! We control the proxy, so I'm not too concerned about that. I'm not sure if the information being sent between the servers is encrypted, though, I will have to find out.
If it turns out that the traffic is not encrypted, is that non-PCI compliant?
If it turns out that the traffic is not encrypted, is that non-PCI compliant?
web traffic is encrypted only if it starts with https:// and/or shows you a lock icon in the status bar.
It is up to the server/owner of a web site to decide whether the site uses encryption or not.
encryption slows dows traffic, avoids being cached and costs money (certificates, bandwidth and server resources). So most of the time only sensitive parts of a website is encrypted.
It is up to the server/owner of a web site to decide whether the site uses encryption or not.
encryption slows dows traffic, avoids being cached and costs money (certificates, bandwidth and server resources). So most of the time only sensitive parts of a website is encrypted.
ASKER
What I'm being told is, the client app is encrypting the username / password using TripleDES and Salt, and the off site web service is sending data back using the same encryption method. Does that make sense or am I getting a line of BS from the consultant? :)
So we are talking here not about a normal webserver accessed by http, but some "selfmade" protocol over some userdefined ports?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
tolomir,
That's what I'm trying to figure out.. looking at the config file, it appears that the traffic is going over your standard http port 80... however, there are also references to "tcp port 8989" (in different sections of the config, not in reference to the web address).
That's what I'm trying to figure out.. looking at the config file, it appears that the traffic is going over your standard http port 80... however, there are also references to "tcp port 8989" (in different sections of the config, not in reference to the web address).
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I actually downloaded Wireshark in hopes to do that... I will check out the howto!
Otherwise not. And even if it's safe one could eavesdrop on the communication, if the communication is not encrypted.
Tolomir