This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SSL: trusted Root CA

RSAAdmin
Beginner
Beginner

‎2015-05-20 08:08 AM

Hello, forum,

 

There is an old, but still disturbing matter of replacing SSL certificates for traffic monitoring. Users get nervous about it, but nevertheless it should be done due to well known reasons. Imagine that you are an authorized service and ssl traffic monitoring is your concern. Monitoring corporate users is easy due to you have ability to install trusted root CA using for example GPO on all their corporate devices and then just do SSL MITM and forward traffic to SA. But this is an issue with external users as you do not have control over their devices, but you are legally allowed to do it. There are some ways (some are pure imagination):

 

1) Force OS vendors to install custom root certificate. Every OS has it's own list of trusted root certs, I believe that is due to this approach,

2) Make you own trusted root CA, pass audits, issue both official and mitm certs for only in-state usage. A very long and quite expensive process, could be related to 1)

3) Become a subordinate CA, but all CA's clearly state that using their subordinate CA for DPI (same as ssl mitm) is illegal. But there were lot's of examples of trusted root CA's usage for DPI purpose. For this process I guess the root CA must be located in your state.

4) Buy some magic ssl inspection box that will have a pre-installed root ca, and the cert will be the vendors responsibility. Some sources state that such boxes exist, due to limited information they may be distributed only government-level channels.

 

I'm sure that many of you had similar thoughts/requests, I hope someone can share, what is a best approach for monitoring external ssl traffic.

I hope this post doesn't break any rules. Also feel free to PM me on this delicate matter.

 

Thanks in advance, peace

0 Likes
2 REPLIES 2

TimUnderhay
Beginner
Beginner

‎2015-05-21 11:05 AM

I'll add my two cents here.


Disclaimer: My comment is a broad discussion of PKI technology and not a recommendation.  Consult any local laws and ensure you would be in full compliance before attempting to do what you're asking about.

 

Speaking in very broad terms, without regard to a specific SSL decryption product or vendor: Internet-facing sites in general should be using a public SSL certificate that is signed by a publicly-trusted root or signing CA, such as RSA, Verisign, Thawte, etc.

 

Since these publicly-facing sites are ones that you own, you in theory should have access to the private SSL keys that are used by your sites for encryption.  These private keys are the keys to the kingdom, and if you possess them, you should in theory be able to decrypt any session that uses said private key for encryption.  This is why it's so important to keep private keys private, as your traffic is completely compromised if they get out.

 

Since the public end of that keypair is signed by a trusted CA, there would be no need to install an additional CA cert on internet users' devices.  Since you have the private key, you simply decrypt the session without any fuss, using some sort of SSL decryption device/technology.

 

If you don't have access to the private keys, the most obvious option would be to implement a MITM decryption proxy and ask users of your service to install and trust your MITM CA for encryption, though for obvious reasons they may decline to do so.

 

I hope this helps.

0 Likes

RSAAdmin
Beginner
Beginner
In response to TimUnderhay

‎2015-05-21 11:41 AM

Thanks a lot for your input, Tim,

 

Possession of private keys is, of course, the easiest method. And if a some internet resource has headquarters/is hosted in local state there is no problem requesting needed information from it even without a private key.

Regarding SSL MITM, if you MITM with trusted root CA very few users will notice, as it would be accepted without any prompts. Many governments have their trusted root ca installed in OS out of the box btw (related to my post 1) and 2)

As I'm talking about US allied state, I wonder if there some procedures/laws which could be passed to join some global intelligence programs regarding this matter, because my 1st post looks like inventing a bicycle.

 

What I'm asking about is achievable state-wide only via government organizations, so let's leave the legal aspects to them.

 

PS. I know that asking such question here looks kind of ridiculous (even though this forum is closely related to these tasks), but believe me, this is not the most astonishing tasks/question that I am being asked

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.