Mitigating risk of not decrypting "online storage and backup" URL category.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Mitigating risk of not decrypting "online storage and backup" URL category.

L0 Member

We've been having some issues with websites like DropBox, Hightail etc since configuring SSL Decryption. I believe this relates to a security technique called "Certificate Pinning". I've resolved the issue by adding the "Online Storage & Backup" URL category into a no-decrypt policy but it concerns me that opening up the entire category is a risk and could result in unwanted content entering our network.

 

We have a large number of suppliers who send product related files to us using applications like DropBox but because they don't use a common platform these files can come from a number of different file sharing sites. This makes it tricky to use a custom URL category. Additionally there are a high number of internal users who need to access the files for download. So restricting access down to a select few isn't going to work.

 

I'd like to find out if others have had this issue and how they mitigated the risk. I don't think I'm going to be able to eliminate the risk but if I can reduce it then I will be much happier.

 

I'm still only fairly new to PA's so maybe just my inexperience is not allowing me to resolve this.

 

Appreciate anyone's thoughts!

 

Thanks!

3 REPLIES 3

L5 Sessionator

Hi Mitre,

 

from security perspective, I would NOT trust this category but would rather try to resolve issues with pinning by adjusting my browser's preferences and importing your firewall's certificate into browser store itself. Also, when importing root CA into Firefox, for some reason I still needed to go through Firefox' preferences and edit this certificate to allow it to sign other Websites; from than on I did not have problems to be MITM for majority of websites. You can further play with decryption settings just for your zone until you figure out good receipt, but generally you should be able to import certs and decrypt lots of domains that go into that category.

Here you can find an explanation how to completely disable pinning in Firefox:

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning

But check it - it says it is on 1 by default, allowing MITM for any certificate already installed and trusted in teh store. 2 is enforcing pinned certs always, 0 is off. Try to check your cert import and test a bit around your lab, it should work.

 

At worst, give me example of website and let me see if I can force it to decrypt in my lab 🙂

 

Best regards


Luciano

Thanks for the detailed reply Luciano. I'll do some further work on this based on you advice. Appreciate it!

Hi, Mitre,

 

You are welcome. This seems to be a problem, occasionally, not just for you 🙂 I have to take a deeper look into it next week again, FF specifically, and I will report if I experience some bigger problems.

 

Best regards

 

Luciano

  • 2414 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!