https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50305#M37039 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P> I don't trust them but :</P><P></P><OL><LI>If I trust their CA, they could sign anything that my user would think is leggit website. And I am 100% sure that they don't take any special measures to protect their CAs . I still want websites to remain untrusted for browser, which is not possible if PA trusts their CA.</LI><LI><EM><SPAN style="background-color: #ffffff;">"</SPAN><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Otherwise you can add excludes to a "whitelist" in the PA (listed at </SPAN><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="1423" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1423" style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #316989; background-color: #ffffff;">List of Applications Excluded from SSL Decryption</A><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> )" &lt;-- </SPAN></EM><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">doing such thing means that hackers will get the habbit to use websites that are like&nbsp; site1.gov.co.uk with selfsigned certicates because they know they aren't inspected : applications ignored by SSL Decryption in this case aren't checked against known CAs</SPAN></LI><LI><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Usually , tools provided by these organization are checking that the certificate of website/webapp is signed by their internal CA.</SPAN></LI><LI><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Also, these tools are often using Client certificates , which makes Decryption impossible.</SPAN></LI></OL><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> For all these reasons, the only viable possibility is to allow to ignore SSL Decryption when cert is signed by a list third party CA that would be fed by customer. Decryption Policy panel and stack needs a real big revamp to be usable (in addtion of TLS proper implementation)</SPAN></P></BODY></HTML> Thu, 20 Sep 2012 08:14:06 GMT essnet 2012-09-20T08:14:06Z https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50303#M37037 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P> The use is very simple : many government agencies (social security, tax collecters...) are using SSL websites signed with own CA (which is great for their own security) but creates many problems with PA decryption.</P><P></P><P> Is there a way configure PaloAlto to exclude from Decryption of certicates generated by a list of third-party CAs I would feed by myself ?</P><P></P><P>Thank you for your time</P></BODY></HTML> Wed, 19 Sep 2012 13:51:58 GMT https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50303#M37037 essnet 2012-09-19T13:51:58Z https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50304#M37038 <HTML><HEAD></HEAD><BODY><P>Why not download their public root cert and import it as a trusted authority in your PA so it will successfully decrypt their traffic (because traffic coming from a gov site doesnt necessary mean that it is clean <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />)</P><P></P><P>Otherwise you can add excludes to a "whitelist" in the PA (listed at <A __default_attr="1423" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A> )</P><P></P><P>Unfortunately I dont currently recall what the CLI command is for that...</P></BODY></HTML> Wed, 19 Sep 2012 19:54:27 GMT https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50304#M37038 mikand 2012-09-19T19:54:27Z https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50305#M37039 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P> I don't trust them but :</P><P></P><OL><LI>If I trust their CA, they could sign anything that my user would think is leggit website. And I am 100% sure that they don't take any special measures to protect their CAs . I still want websites to remain untrusted for browser, which is not possible if PA trusts their CA.</LI><LI><EM><SPAN style="background-color: #ffffff;">"</SPAN><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Otherwise you can add excludes to a "whitelist" in the PA (listed at </SPAN><A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="1423" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1423" style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #316989; background-color: #ffffff;">List of Applications Excluded from SSL Decryption</A><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> )" &lt;-- </SPAN></EM><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">doing such thing means that hackers will get the habbit to use websites that are like&nbsp; site1.gov.co.uk with selfsigned certicates because they know they aren't inspected : applications ignored by SSL Decryption in this case aren't checked against known CAs</SPAN></LI><LI><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Usually , tools provided by these organization are checking that the certificate of website/webapp is signed by their internal CA.</SPAN></LI><LI><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Also, these tools are often using Client certificates , which makes Decryption impossible.</SPAN></LI></OL><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"> For all these reasons, the only viable possibility is to allow to ignore SSL Decryption when cert is signed by a list third party CA that would be fed by customer. Decryption Policy panel and stack needs a real big revamp to be usable (in addtion of TLS proper implementation)</SPAN></P></BODY></HTML> Thu, 20 Sep 2012 08:14:06 GMT https://live.paloaltonetworks.com/t5/general-topics/exclude-certificates-generated-by-a-third-party-ca-from-being/m-p/50305#M37039 essnet 2012-09-20T08:14:06Z