I am not sure how Fidelis can decrypt SSL, perhaps a man-in-the-middle(MIM)? The slide says "its an SSL proxy. Just need to install endpoint-trusted CA certificate on the SSL Inspector.".
So apparently Fidelis accepts your client SSL request but connects to your destination itself, including verifying the destination certificate and establishing a session key. Then, Fidelis makes a new certificate using its CA certificate authority and responds to your client SSL request with its own certificate and establishes a session key with you. During the rest of the session, it captures the plain text going both ways.
If true, this suggests that the Fidelity device is using the UCB Certificate Authority which would be trusted by all UCB hosts. So connect to an non-UCB SSL site and use your browser to see what certificate authority the connection is using.
Back in the 90's I wrote a report that discussed this problem and suggested that clients should disable all keys for certificate authorities that are not in use to avoid a rogue authority allowing this kind of MIM.
If true, this introduces a new security problem. When connecting to especially sensitive sites, such as banking etc., I verify the Certificate chain before entering my password (I know which CA each site uses). If I were to always see the Fidelis certificate, I could not detect MIM attacks further out on the Internet. Also you would be relying on Fidelis to do a proper verification of the destination certificate.
Additionally, is error detection preserved while Fidelis decrypts and re-encrypts each packet? A side effect of SSL is excellent end-to-end error and tamper protection.
greg
"On a network paranoia is just good thinking." Lowell Detloff
At 12:11 PM 2/5/2016, Christopher Brooks wrote:
Would anyone like to comment on p. 10 of https://www.documentcloud.org/documents/2703887-Ucop-Monitoring.html, where it states that the Fidelis SSL Inspector is decrypting SSL traffic?Â
Is this possible in such a small box? Maybe they mean that they are messing with http proxies and SSL?
Currently, I'm getting my website SSL certs from UCB. My understanding is that there is no backdoor so that UCOP could decrypt traffic to and from my SSL websites. Does anyone see a problem with this?
Should we be using Let's Encrypt instead? I hope not, I like my certs from Berkeley.
Christopher Brooks, PMP University of California Academic Program Manager & Software Engineer US Mail: 337 Cory Hall CHESS/iCyPhy/Ptolemy/TerraSwarm Berkeley, CA 94720-1774 c...@eecs.berkeley.edu, 707.332.0670 (Office: 545Q Cory)
------------------------------------------------------------------------- The following was automatically added to this message by the list server: To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site: http://micronet.berkeley.edu Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past. ANNOUNCEMENTS: To send announcements to the Micronet list, please use the micronet-annou...@lists.berkeley.edu list.
