A discuss was in play on the fortinet forum about ssl inspection and many questions has risen over the inspections within SSL & fortigates.
What I've found out; that the ssl inspection will let any web-client to establish HTTPs sessions to site with small-keysizes, or using any weak ciphers. Also Certificate Revocation is not strictly enforced nor is OCSP mandated. So this leave you left with the security functions of user web-browser and OS.
Firefox seems to be slightly ahead of the game when compared to Chrome or Opera, but leaving security controls at the hands of the end-user will always equal to a disaster.
For example, I reconfigured my Apache2 webserver with a 384bit key and with SSLv3 enabled-only.
The fortigate allow access to this site with SSL inspections enabled.
The same happen if we had RC4-SHA for cipher suite enabled. Even a site with revoked CRLs was pass thru blindly.
Firefox will drop sessions using tls1 and a key-size of 384 bits & provide you a generic warning
All of these would be very bad for a high security website & places the end-user data at risk.
Question?:
So how do we secure a client from accessing a website with the above?
Response:
You will need to use a 3rd party appliance proxy that has tighter acceptance controls.
Just the meer inspecting of certificate serial#, expiration-DATE, & CAtrust is not enough. Disallowing clients access to weak and vulnerable website should be restricted and enforced imho.
Openssl will describe the various ciphers for low medium and high;
Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
tempat nyari SSL murah ya di IDwebhost.com Cuman disini kamu bisa menemukan paket terbaik untuk hosting webkamu.
ReplyDelete