potential Security Issue when offloading SSL if app cannot tell request was SSL

Hi Tom,

 

 

a user could be duped into using a login form without SSL when the webpage expected SSL

 

 

If an attacker could force a client to submit login credentials unencrypted to the legitimate site, having LTM redirect the request to HTTPS wouldn't help much. The victim would have already submitted their credentials in cleartext. Also, if an attacker could force the client to make a request, why wouldn't they send the client to their attacker site and steal the credentials that way?

 

 

That said, I think you've covered a lot of the answers to your points. For customizable applications, it's ideal if you can configure/re-code them to read a custom HTTP header indicating whether the front end connection was encrypted. For apps which this isn't possible for, here are a few options I can think of:

 

 

- encrypt all of the client to VS traffic

 

- re-encrypt the serverside connection

 

- move all of the content which needs to have clientside encryption enabled for into specific directories and then use an iRule to enforce any request to those specific directories is encrypted. This doesn't solve the issue of sensitive data being sent via cleartext traffic if an attacker forces the client to make a request though.

 

 

Here is a post with some related info and links:

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1170635&ptarget=1170636

 

 

Aaron