On Feb 2017, some universities, Mozilla, Cloudflare, and Google released this paper on corporate and desktop HTTPS interception. First they figured out how to identify when someone connects to a web server through an SSL interception appliance. Then they found that most corporate "man-in-the-middle' appliances expose security vulnuerabilities. Basically, most appliances don't mirror the client's browser TLS handshake, and instead uses its own less secure cipher suite. So for example, your browser requests to connect to google.com with TLS 1.2 with AES, the firewall decrypts it, then re-encrypts it with a weaker TLS handshake (like TLS 1.0 with RC4, or worse). This effectively makes your browser's connection far less secure. The paper grades a few appliances. Bluecoat got an "A", but Cisco got an "F". Sophos and Juniper got a "C". Unfortunately Palo Alto isn't graded, and I don't know what method it uses. Here's the link to the paper (PDF hosted by one of the paper's authors, Zakir Durumeric): The Security Impact of SSL Interception (https://zakird.com/papers/https_interception.pdf). The juicy stuff is on page 5. Also here is a link to an article summary about it, in case the PDF doesn't work: https://www.helpnetsecurity.com/2017/02/10/https-interception/
... View more
