You can't do anything about this really. If you introduce a "man in the
middle" scenario with a load balancer or proxy like you are doing that
supports SSL termination, then that's a risk you are taking. In that case,
someone would need to give the proxy the certificate your web server uses,
so I'd assume these risks were considered, right? Some of these types of
devices can reinitiate SSL back to the web server as well and thus provide
end to end encryption. We typically use this type of behavior with our load
balancers in our data center to ensure traffic is encrypted end to end.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"anoop" <> wrote in message
news:67EA34D5-1456-4BC4-94BD-...
>
> Hello,
> I have also implemented SSL, but if I intercept the Authentication
> Credentials in intercepting Proxy such as PAROS or Burp Proxy. As these
> intercepting proxies send their own certificates, login Credentials can
> still
> be seen in clear text passing from client to Server.
>
> Thank you
> "Dominick Baier" wrote:
>
>> You can't do that easily - and it doesn't make sense.
>>
>> What you really want is SSL protecting the complete connection...
>>
>>
>> -----
>> Dominick Baier (http://www.leastprivilege.com)
>>
>> Developing More Secure Microsoft ASP.NET 2.0 Applications
>> (http://www.microsoft.com/mspress/books/9989.asp)
>>
>> > Hello,
>> > If I use RSACryptoServiceProvider in ASP.Net, it can only be
>> > implemented at Server Side. But Authentication Credentials are still
>> > passing
>> > in clear text from Client to Server. What should I do to encrypt
>> > passing of Authentication Credentials from Client to Server
>> >
>> > Thank you.
>> >
>>
>>
>>
Similar Threads
