Home

Unmonitored HTTPS is a security threat since it used by SSH tunnels and other security circumventor software

The HTTPS protocol that all internet users use can be recognised by the https:// prefix in the URL.  Many users use HTTPS to do internet banking since it is a secure protection against eavesdropping and right here starts the misconception of the safety of the HTTPS protocol.  HTTPS uses encryption and only protects against eavesdropping.  Internet banking was already successfully targeted by hackers and viruses.

Encryption is a useful feature for internet banking and at the same time a nice feature for hackers, thieves, VPNs, proxy tunnels and computer viruses because the encrypted HTTPS protocol is the ideal mechanism to connect to servers on the internet since it is encrypted and not monitored by antivirus software. Almost all corporate firewalls allow HTTPS traffic without monitoring or filtering and therefore HTTPS is beyond any doubt a security threat that needs to be addressed properly.

It is not possible to explain the security threat well without going into technical details.  For those who do not understand the technical details, we suggest to go to Google and to search for "punching holes into firewalls" and to look at the overwhelming list of search results and all details that are provided to circumvent the most advanced corporate firewall.  The technical audience can search for "tunneling SSH over HTTPS".

Proxy tunnels are an easy way to open a gateway from a protected/firewalled LAN to any computer system in the world and the software to do this is accessible with a simple search on Google.  The tunnel can even be configured to be bi-directional: from a designated computer system outside the protected LAN communication to any computer system on the protected LAN can be initiated !!  Various types of proxy tunnels are known to exist and one of the easiest to use is a SSH tunnel.  SSH is short for "secure shell" and implements a "security" for communication (shell, ftp, X Windows, and any other TCP based application) between computers and one of its basic features is bi-directional port tunneling.  The port tunneling feature is a true nightmare for security officers where firewalls have no knowledge of what is done inside a SSH session.

ufdbGuard makes an end to the nightmare of security officers and can block SSH tunnels.  It also blocks proxy tunnels and blocks access to sites that use HTTPS without proper SSL certificates and/or sites addressed by an (anonymous) IP address.

ufdbGuard respects privacy of users and never decrypts HTTPS traffic.
ufdbGuard dynamically probes HTTPS sites and selectively blocks HTTPS traffic by

  • optionally block sites which do not speak SSL+HTTP (e.g. SSH tunnels)
  • optionally block known tunneling applications
  • optionally block sites without a properly signed SSL certificate
  • optionally block sites with a weak SSL encryption
  • optionally block sites with an IP address in the URL
  • optionally block sites which uses HTTPS ports for chat applications