Unencrypted SSL Traffic

Unanswered Question
Jul 31st, 2007
User Badges:

I have see a couple of alerts from my IDSM for signature 6005/0 "Unencrypted SSL Traffic." The target ip address is one of my ssl proxy ip addresses (on CSM-S) tcp port 443. An example of the unencrypted traffic sent:

GET http://www.yahoo.com/ HTTP/1.1.

I have seen 4 such triggers today (each to different url's) from the same "attacker" ip address. Can anyone tell me how or why this would be happening? Is this a possible bug with a web browser? Does anyone have a suggestion for where I can do further research on this?

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mhellman Tue, 07/31/2007 - 18:49
User Badges:
  • Blue, 1500 points or more

Interesting. The signature itself is pretty self explanatory and not normally very useful...for example you can trigger it using the following URL.


http://www.yahoo.com:443


Generally, I consider this benign. However, context matters. Isn't your CSM-S basically a reverse proxy that sits in front of your web servers? So, are you seeing this on an IDS in front of the CSM and the target IP is an IP address on the CSM?


If they were looking for an open proxy, it would be a CONNECT request. Or am I completely off and you actually having users using this as a forward proxy to get to the Internet?

t.clark Wed, 08/01/2007 - 05:15
User Badges:

The CSM-S sits in front of web servers and acts a 'reverse proxy' for those web servers. This is not a forward proxy for allowing users to access the internet.

The IDS is in front of the CSM-S, so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com.

I am also inclined to consider this benign, but I wanted to get some other input because it is so strange.


mhellman Wed, 08/01/2007 - 08:23
User Badges:
  • Blue, 1500 points or more

"so the IDS is reporting a client with a connection to mywebsite.com:443 sending an unencrypted HTTP GET request for www.yahoo.com"


that's the bit that is unusual. It is somewhat more interesting because it's not your own client->Internet traffic. I can't imagine how that could happen accidentially, someone would have to craft it(i.e. modify the HOST header).

Actions

This Discussion