[3780] in WWW Security List Archive
Using proxies to bypass ITAR
daemon@ATHENA.MIT.EDU (John Lehmann (SSASyd))
Wed Dec 11 19:47:23 1996
From: "John Lehmann (SSASyd)" <LEHMANNJ@saatchi.com.au>
To: "'www-security'" <www-security@ns2.rutgers.edu>
Date: Thu, 12 Dec 96 09:44:00 S
Errors-To: owner-www-security@ns2.rutgers.edu
Hello,
I have just been a part of setting up a major department store online
(here, in Australia). For a number of reasons, we chose to use winNT and
MIIS and so are limited by ITAR to using a 40-bit key. In the long-term
this is obviously unacceptable, as is also using a 56-bit key or any of
the other funny escrowie solutions proposed by the US government.
A computer running Apache-SSL sits on the other end of my desk. I have
been contemplating suggesting to our client that they move to some such
more flexible arrangement, at least for the sections of the site that
deal with such details as credit-card numbers. There has, however, been
a large investment in working with MIIS, that I am loathe to redo. *sigh*
I have been watching the recent discussion of more-secure-proxy-server
wrappers (Securescape, SafePassage) with great interest. As they become
more common at various levels (I believe that many Australian ISPs offer
ssl-proxying, and most of them seem to be using Apache, rather than one
of the crippled US-developed servers) it will become sensible to offer a
better level of security to customers.
So, I was wondering, would it be feasible to wrap (with a firewall) a
US-developed-server-with-poor-security in a more-secure-proxy in a manner
complementary to the service offered by SafePassage and similar products?
--
John Lehmann
Saatchi & Saatchi, Interactive
