Mitigating risk of not decrypting "online storage and backup" URL category.

Reply
Highlighted
L0 Member

Mitigating risk of not decrypting "online storage and backup" URL category.

We've been having some issues with websites like DropBox, Hightail etc since configuring SSL Decryption. I believe this relates to a security technique called "Certificate Pinning". I've resolved the issue by adding the "Online Storage & Backup" URL category into a no-decrypt policy but it concerns me that opening up the entire category is a risk and could result in unwanted content entering our network.

 

We have a large number of suppliers who send product related files to us using applications like DropBox but because they don't use a common platform these files can come from a number of different file sharing sites. This makes it tricky to use a custom URL category. Additionally there are a high number of internal users who need to access the files for download. So restricting access down to a select few isn't going to work.

 

I'd like to find out if others have had this issue and how they mitigated the risk. I don't think I'm going to be able to eliminate the risk but if I can reduce it then I will be much happier.

 

I'm still only fairly new to PA's so maybe just my inexperience is not allowing me to resolve this.

 

Appreciate anyone's thoughts!

 

Thanks!

Highlighted
L5 Sessionator

Re: Mitigating risk of not decrypting "online storage and backup" URL category.

Hi Mitre,

 

from security perspective, I would NOT trust this category but would rather try to resolve issues with pinning by adjusting my browser's preferences and importing your firewall's certificate into browser store itself. Also, when importing root CA into Firefox, for some reason I still needed to go through Firefox' preferences and edit this certificate to allow it to sign other Websites; from than on I did not have problems to be MITM for majority of websites. You can further play with decryption settings just for your zone until you figure out good receipt, but generally you should be able to import certs and decrypt lots of domains that go into that category.

Here you can find an explanation how to completely disable pinning in Firefox:

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#How_to_use_pinning

But check it - it says it is on 1 by default, allowing MITM for any certificate already installed and trusted in teh store. 2 is enforcing pinned certs always, 0 is off. Try to check your cert import and test a bit around your lab, it should work.

 

At worst, give me example of website and let me see if I can force it to decrypt in my lab :)

 

Best regards


Luciano

L0 Member

Re: Mitigating risk of not decrypting "online storage and backup" URL category.

Thanks for the detailed reply Luciano. I'll do some further work on this based on you advice. Appreciate it!

Highlighted
L5 Sessionator

Re: Mitigating risk of not decrypting "online storage and backup" URL category.

Hi, Mitre,

 

You are welcome. This seems to be a problem, occasionally, not just for you :) I have to take a deeper look into it next week again, FF specifically, and I will report if I experience some bigger problems.

 

Best regards

 

Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!