03-07-2017 07:38 AM - edited 03-07-2017 08:14 AM
On Feb 2017, some universities, Mozilla, Cloudflare, and Google released this paper on corporate and desktop HTTPS interception.
First they figured out how to identify when someone connects to a web server through an SSL interception appliance. Then they found that most corporate "man-in-the-middle' appliances expose security vulnuerabilities. Basically, most appliances don't mirror the client's browser TLS handshake, and instead uses its own less secure cipher suite.
So for example, your browser requests to connect to google.com with TLS 1.2 with AES, the firewall decrypts it, then re-encrypts it with a weaker TLS handshake (like TLS 1.0 with RC4, or worse). This effectively makes your browser's connection far less secure.
The paper grades a few appliances. Bluecoat got an "A", but Cisco got an "F". Sophos and Juniper got a "C". Unfortunately Palo Alto isn't graded, and I don't know what method it uses.
Here's the link to the paper (PDF hosted by one of the paper's authors, Zakir Durumeric): The Security Impact of SSL Interception (https://zakird.com/papers/https_interception.pdf). The juicy stuff is on page 5.
Also here is a link to an article summary about it, in case the PDF doesn't work: https://www.helpnetsecurity.com/2017/02/10/https-interception/
03-07-2017 08:00 AM
Great highlight...I couldn't open your link though...
I did some Google sloothing and found this BlackHat article on this topic:
https://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SSL_TLS_Interception-Slides.pdf
03-07-2017 08:05 AM
03-07-2017 08:14 AM
*It's possible my company was blocking an IP for the site...(I didn't really care to look through firewall logs to confirm) lol*
03-07-2017 08:16 AM
03-19-2017 09:59 AM
Here is the CERT report outlining the issues when settting up corporate decryption and not mentioning any specific vendors.
https://www.us-cert.gov/ncas/alerts/TA17-075A
Would be a good exercise to have a best practices document for how PA could follow these recomendations.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
