topic Re: Bypass Telegram App traffic for ssl decryption in General Topics

Bypass Telegram App traffic for ssl decryption

BigPalo — Fri, 29 Apr 2022 09:37:05 GMT

Hi,

Is there any way to bypass the Telegram app traffic for SSLdecrypt? any idea?

Re: Bypass Telegram App traffic for ssl decryption

LAYER_8 — Fri, 29 Apr 2022 17:02:30 GMT

Firewalls are positive enforcement, meaning they will only do explicitly what you tell them to.

If you don't have a rule to decrypt telegram, it won't happen.

If telegram is being picked up as a different app, you can create or modify existing App-IDs to get granular enough to exclude/include.

If you are a user on a corporate network that IS decrypting telegram, this isn't the place to talk about offensive sec and product bypassing 🙂

Re: Bypass Telegram App traffic for ssl decryption

BigPalo — Sun, 01 May 2022 17:55:22 GMT

The SSL decrypt rule are based on categories. So no option to only no decrypt "telegram".

Re: Bypass Telegram App traffic for ssl decryption

LAYER_8 — Mon, 02 May 2022 16:25:50 GMT

You have the ability to create custom categories (EDLs, static lists, etc)

Re: Bypass Telegram App traffic for ssl decryption

laurence64 — Tue, 03 May 2022 08:33:09 GMT

SSL Decrypt is controlled via URL category and you can also use ports within the Decrypt policy, frankly I am shocked that Telegram does not use a pinned-cert, if it did it would be in the Decryption exclusion list Device > SSL Decryption Exclusion however the best thing to do would be (in the absence of any useful info on the Telegram website) carry out a packet capture on the firewall and identify the traffic in question and more accurately check where the app is going URL wise.

A good starting point would be a custom URL category with Telegram added and then a do not decrypt policy above your broad decryption policy, however the packet capture would show the detail and this could also be added to the URL category.