Do I want to install my organization's root certificate?


#1

Continuing the discussion from LetsEncrypt Installed on Nginx But a Cisco Cert is Being Served Up:

(There is not really an appropriate category for this question, so I apologise if this kind of discussion is not wanted here) [quote=“pfg, post:15, topic:31319”]
Pretty much, though it’s not so much misbehaving and more like whoever is responsible for Umbrella in your organization forgot to ask you to install their root certificate
[/quote]

Before I pick up the phone and ask IT support about this, I have a principle question: do I even want to install that root certificate?

From as little as I understand, I believe that having that certificate installed means granting my organization a man-in-the-middle position, i.e. to let them intercept even my encrypted traffic, right? Is this something anyone would want (except in exceptional circumstances like the one in the original topic)?

Edit: I am not literally asking you to tell me what to do. The point of this topic is to inform about and discuss the use of root certificates, in particular with regard to potential surveillance of employees.


#2

hi @tophee

this is a letsencrypt forum therefore lets keep probelms related to letsencrypt

you will need to talk to your IT team about the role of Cisco Umbrella and whether or not it would interfere with what you are observing

From a testing phase letsencrypt is deployed correctly on domains and is working from the public internet

Anything internally is between you and IT

Andrei


#3

I suspected so. But now you changed the topic to make it look relevant for the forum even though it isn’t…

BTW: there is no need to @mention the person you are replying to in your reply because that person will get notified about your reply anyway (“someone replied to your post”…).


#4

We’re generally okay with topics that are not strictly related to Let’s Encrypt, but are still related to the Web PKI and don’t really fit anywhere else.

It’s quite a tricky topic. TLS interception is fairly common on enterprise networks. I imagine you would find such middle boxes in most Fortune 500 networks. That doesn’t necessarily make it a good thing, as this study points out. The middlebox naturally becomes a single point of failure that, if compromised, gives an attacker access to all TLS traffic in plain text. These proxies are often outdated when it comes to things like protocol and cipher support, which effectively downgrades the connection security. Not to mention that there’s no privacy for any of the users on the network. At the same time, users on such networks typically don’t have admin access to their devices, so there’s no guarantee of privacy either way. Administrators could just intercept the traffic (and other things) on the device itself.

In some way, Umbrella is slightly better than many other solutions in that it doesn’t intercept all connections, but rather just those it deems suspicious for some reasons. (Obviously, false positives still happen.) That said, if their root certificate is compromised someone in a position to MitM your connection could still use it to intercept all traffic if you trust the root certificate, so ultimately one would have to decide whether it’s worth the risk. For technical users, manually inspecting the certificate (i.e. checking the fingerprint) and accepting it in cases where traffic is intercepted might be a workable approach.


#5

hi @pfg

I agree with what you are saying but the question read to me as please give me advise on whether or not I should do this on my network. I tend to err on the side of caution and that was what my response regarding intenal networks should be discussed with internal IT

In terms of observations of outdated proxies in my experience it’s usually the other way round. Customer have legacy systems which do not support the newer protocols and use Application Delivery Controllers such as F5, NetScaler and Radware to increase the security of their applications.

You are right it is a common practice in high security environment to decrypt traffic but that is more about IDS and identifying potential threats. TLS is great tools but can be used by hackers to mask attacks rendering packet inspection technologies useless.

In these cases we usually install the same certificate (letsencrypt) on web servers and Application Delivery controllers if we can (application supports it etc). There are times the backend encryption is done with self signed or internal certs but the traffic between the Application Delivery Controller and the web server is encrypted.

Just my 5 cents :smiley:

Andrei


#6

it is also worth pointing that from external networks a letsencrypt certificate is presented (not a Cisco Umbrella Certificate) so if there are internal proxies they may be there for valid reasons (PCI DSS, HIPPA compliance etc)

Hence my response about check with your IT and don’t assume it’s man in the middle :smiley:

Andrei


#7

Your post seems to refer to load balancers you’d put in front of a web server. That’s not really what OP was talking about. Umbrella and other middleboxes serve a different purpose, and, as the study points out, often decrease connection security. These devices do not use certificates from publicly-trusted CAs like Let’s Encrypt, but rather custom roots typically distributed through something like Active Directory. They effectively act as men in the middle, it’s just that they’re trusted (from the organization’s point of view).


#8

That’s right. In some corporate networks, the alternative to accepting the organization’s CA and associated monitoring may be that your connections will be blocked, unless you use some kind of circumvention tool or tunnel to get around the blocking; in some organizations that regard the interception as an important measure that employees should submit to, you might be punished for doing that, maybe even by being fired!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.