https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/73642#M41483 <P>We've been having some issues with websites like DropBox, Hightail etc since configuring SSL Decryption. I believe this relates to a security technique called "Certificate Pinning". I've resolved the issue by adding the "Online Storage &amp; Backup" URL category into a no-decrypt policy but it concerns me that opening up the entire category is a risk and could result in unwanted content entering our network.</P> <P>&nbsp;</P> <P>We have a large number of suppliers who send product related files to us using applications like DropBox but because they don't use a common platform these files can come from a number of different file sharing sites. This makes it tricky to use a custom URL category. Additionally there are a high number of internal users who need to access the files for download. So restricting access down to a select few isn't going to work.</P> <P>&nbsp;</P> <P>I'd like to find out if others have had this issue and how they mitigated the risk. I don't think I'm going to be able to eliminate the risk but if I can reduce it then I will be much happier.</P> <P>&nbsp;</P> <P>I'm still only fairly new to PA's so maybe just my inexperience is not allowing me to resolve this.</P> <P>&nbsp;</P> <P>Appreciate anyone's thoughts!</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 26 Feb 2016 03:54:28 GMT Mitre10 2016-02-26T03:54:28Z https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/73642#M41483 <P>We've been having some issues with websites like DropBox, Hightail etc since configuring SSL Decryption. I believe this relates to a security technique called "Certificate Pinning". I've resolved the issue by adding the "Online Storage &amp; Backup" URL category into a no-decrypt policy but it concerns me that opening up the entire category is a risk and could result in unwanted content entering our network.</P> <P>&nbsp;</P> <P>We have a large number of suppliers who send product related files to us using applications like DropBox but because they don't use a common platform these files can come from a number of different file sharing sites. This makes it tricky to use a custom URL category. Additionally there are a high number of internal users who need to access the files for download. So restricting access down to a select few isn't going to work.</P> <P>&nbsp;</P> <P>I'd like to find out if others have had this issue and how they mitigated the risk. I don't think I'm going to be able to eliminate the risk but if I can reduce it then I will be much happier.</P> <P>&nbsp;</P> <P>I'm still only fairly new to PA's so maybe just my inexperience is not allowing me to resolve this.</P> <P>&nbsp;</P> <P>Appreciate anyone's thoughts!</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 26 Feb 2016 03:54:28 GMT https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/73642#M41483 Mitre10 2016-02-26T03:54:28Z https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/73689#M41502 <P>Hi Mitre,</P> <P>&nbsp;</P> <P>from security perspective, I would NOT trust this category but would rather try to resolve issues with pinning by adjusting my browser's preferences and importing your firewall's certificate into browser store itself. Also, when importing root CA into Firefox, for some reason I still needed to go through Firefox' preferences and edit this certificate to allow it to sign other Websites; from than on I did not have problems to be MITM for majority of websites. You can further play with decryption settings just for your zone until you figure out good receipt, but generally you should be able to import certs and decrypt lots of domains that go into that category.</P> <P>Here you can find an explanation how to completely disable pinning in Firefox:</P> <P><A href="https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning" target="_blank">https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning</A></P> <P>But check it - it says it is on 1 by default, allowing MITM for any certificate already installed and trusted in teh store. 2 is enforcing pinned certs always, 0 is off. Try to check your cert import and test a bit around your lab, it should work.</P> <P>&nbsp;</P> <P>At worst, give me example of website and let me see if I can force it to decrypt in my lab <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Best regards</P> <P><BR />Luciano</P> Fri, 26 Feb 2016 18:15:44 GMT https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/73689#M41502 Lucky 2016-02-26T18:15:44Z https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/74104#M41610 <P>Thanks for the detailed reply Luciano. I'll do some further work on this based on you advice. Appreciate it!</P> Thu, 03 Mar 2016 23:46:54 GMT https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/74104#M41610 Mitre10 2016-03-03T23:46:54Z https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/74194#M41633 <P>Hi, Mitre,</P> <P>&nbsp;</P> <P>You are welcome. This seems to be a problem, occasionally, not just for you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I have to take a deeper look into it next week again, FF specifically, and I will report if I experience some bigger problems.</P> <P>&nbsp;</P> <P>Best regards</P> <P>&nbsp;</P> <P>Luciano</P> Sat, 05 Mar 2016 04:27:09 GMT https://live.paloaltonetworks.com/t5/general-topics/mitigating-risk-of-not-decrypting-quot-online-storage-and-backup/m-p/74194#M41633 Lucky 2016-03-05T04:27:09Z