https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/148340#M49570 <P>Here is the CERT report outlining the issues when settting up corporate decryption and not mentioning any specific vendors.</P><P>&nbsp;</P><P><A href="https://www.us-cert.gov/ncas/alerts/TA17-075A" target="_blank">https://www.us-cert.gov/ncas/alerts/TA17-075A</A></P><P>&nbsp;</P><P>Would be a good exercise to have a best practices document for how PA could follow these recomendations.</P> Sun, 19 Mar 2017 16:59:44 GMT pulukas 2017-03-19T16:59:44Z https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146418#M49189 <P>On Feb 2017, some universities, Mozilla, Cloudflare, and Google released&nbsp;this&nbsp;paper on corporate and desktop HTTPS&nbsp;interception.</P><P>&nbsp;</P><P>First they figured out how to identify when someone connects to a web server through an SSL interception appliance. Then they found that most corporate "man-in-the-middle' appliances expose security vulnuerabilities. Basically, most appliances don't mirror the client's browser TLS handshake, and instead uses its own less secure cipher suite.</P><P>&nbsp;</P><P>So for example, your browser requests to connect to google.com with TLS 1.2 with AES, the firewall decrypts it, then re-encrypts it with a weaker TLS handshake (like TLS 1.0 with RC4, or worse). This effectively makes your browser's connection far less secure.</P><P>&nbsp;</P><P>The paper grades a few appliances. Bluecoat got an "A", but Cisco got an "F". Sophos and Juniper got a "C".&nbsp;Unfortunately Palo Alto isn't graded,&nbsp;and I don't know what method it uses.</P><P>&nbsp;&nbsp;</P><P>Here's the link to the paper (PDF hosted by one of the paper's authors, Zakir Durumeric): <A href="https://zakird.com/papers/https_interception.pdf" target="_self">The Security Impact of SSL Interception</A>&nbsp;(<A href="https://zakird.com/papers/https_interception.pdf" target="_blank">https://zakird.com/papers/https_interception.pdf</A>). The juicy stuff is on page 5.</P><P>&nbsp;</P><P>Also here is a link to an article summary about it, in case the PDF doesn't work:&nbsp;<A href="https://www.helpnetsecurity.com/2017/02/10/https-interception/" target="_blank">https://www.helpnetsecurity.com/2017/02/10/https-interception/</A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 07 Mar 2017 16:14:53 GMT https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146418#M49189 Maxstr 2017-03-07T16:14:53Z https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146435#M49191 <P>Great highlight...I couldn't open your link though...</P><P>&nbsp;</P><P>I did some Google sloothing and found this BlackHat article on this topic:</P><P>&nbsp;</P><P><A href="https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf&nbsp;" target="_blank">https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf&nbsp;</A></P> Tue, 07 Mar 2017 16:00:17 GMT https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146435#M49191 Brandon_Wertz 2017-03-07T16:00:17Z https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146444#M49193 Don't know why that link doesn't work, but it's directly from one of the author's site. I added another link that has some article about it too. Tue, 07 Mar 2017 16:05:44 GMT https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146444#M49193 Maxstr 2017-03-07T16:05:44Z https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146446#M49194 <P>*It's possible my company was blocking an IP for the site...(I didn't really care to look through firewall logs to confirm) lol*</P> Tue, 07 Mar 2017 16:14:44 GMT https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146446#M49194 Brandon_Wertz 2017-03-07T16:14:44Z https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146447#M49195 oops, I clicked accept instead of quick reply...<BR /><BR />I wish I could attach files to the post but I don't think they have feature here. Tue, 07 Mar 2017 16:16:47 GMT https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/146447#M49195 Maxstr 2017-03-07T16:16:47Z https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/148340#M49570 <P>Here is the CERT report outlining the issues when settting up corporate decryption and not mentioning any specific vendors.</P><P>&nbsp;</P><P><A href="https://www.us-cert.gov/ncas/alerts/TA17-075A" target="_blank">https://www.us-cert.gov/ncas/alerts/TA17-075A</A></P><P>&nbsp;</P><P>Would be a good exercise to have a best practices document for how PA could follow these recomendations.</P> Sun, 19 Mar 2017 16:59:44 GMT https://live.paloaltonetworks.com/t5/general-topics/research-paper-shows-vulnerabilities-with-ssl-interception/m-p/148340#M49570 pulukas 2017-03-19T16:59:44Z