SSL decryption for public use ?

Reply
L4 Transporter

SSL decryption for public use ?

We provide internet access for public use (wifi hotspot). For better control and visibility, I would like to introduce SSL decryption (we already use it for our internal users). But there is no way I can deploy the certificate to those users (who I don't know and don't control their devices).

Is there any way I can enhance control and visibility of web applications in another way ? "Transparent" SSL decryption ?

L7 Applicator

Hello Dieterb,

Even if, you will not deploy that certificate to wifi hotspot users, the traffic will be decrypted. But, every time they will get a certificate warning, while access any SSL page. Since the self generated certificate is issued by PAN firewall and it is not in the browser's certificate ring.

A related discussion thread on same topic: Decryption certificate

Hope this helps.

Thanks

L4 Transporter

I know, but I think it's not done to confront users with constant certificate errors.

I know about the ssl decryption opt-out response page. I could warn the users about this. But I think that is a global option, so it would also appear to our internal users (which is not necessary).

What do others do with public internet traffic passing their PA?

L7 Applicator

Yes, you are correct. opt-out response page is a global setting, hence it will be applicable for your internal user's as well.

How to Enable/Reset the Opt-Out Page for SSL Decryption

Thanks

L2 Linker

Hi dieterb,

The only way that you might be able to accomplish this is to use a decrypt certificate that is issued by a trusted root CA.

This is the only option since you do not have the ability to push the cert yourself to the devices, since you do not control them.

Using an untrusted certificate looks bad and will prompt the users every time they visit a site to accept the "risk" since their traffic is being "men in the middled" by a device that was cert from an unknown CA.

You can pay a couple of 100$ and get a cert and have no worries about this at all. Most of the customer I have seen prefer this solution.

I hope this helps you.

BR

L4 Transporter

Hi ialeksov,

It's not possible to purchase a Trust Root CA. What you can buy is a server type certificate, with a specific hostname.

If it was so easy, you can easily imagine the world would not be secure anyomore....

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!