2

I want to ask you if you think that doing SSL Inspection in proxy mode (Resign) could be a problem.

The scenario is the following: 1 --> 2 --> 3

  1. Client web browsing
  2. IPS device with SSL inspection (client trusts the certificate of the IPS because the IPS became a subordinate CA of the CA)
  3. After that the traffic goes to the cloud where it is again resigned by the cloud proxy.

What do you think? Is it possible to realize it? The cloud proxy should be a subordinate CA of the CA?

Vilican
  • 2,723
  • 8
  • 22
  • 35
D3sync
  • 21
  • 1
  • Beside technical issues (HPKP for instance) do not forget to account for legal aspects of such an inspection, if applicable. – WoJ Dec 03 '15 at 09:13

3 Answers3

2

I think that it is not a good idea as this deployment would defeat the basic idea of SSL/TLS: End-to-end encryption.

In practice, such a deployment can cause the following problems:

  • Sites, web services etc. that use Certificate Pinning (e.g., via HPKP) would stop working because the browser / client is suddenly seeing a valid but different SSL certificate.
  • Many smartphone apps do certificate pinning for their web service endpoints because there is only one client which makes public key pinning relatively easy.
  • Google Chrome and Firefox a predefined list of pinned certificates and hard-codes the Google certificates into the browser. So Google domains would not be accessible from the Chrome browser any more. Here you can find more information on that regarding Firefox.

Everything in the SSL/TLS world is going towards pinning certificates and narrowing the trust relationship between CAs and SSL/TLS-enabled domains. That's why I don't think that what you suggested is a future-proof network design.

thomaskonrad
  • 121
  • 4
0

If this is for your own project and not meant as a general purpose proxy type of thing then what you're describing is called SSL/TLS Termination, where basically there is one or more entry points (load balancers usually) that handle the cryptographic process and then proxy the request to the appropriate servers. The client does not do handshakes or anything like that with the actual end server, only with the load balancer that is handling the Termination.

If you mean it as a general purpose project I suggest you read CLoudFlare's Universal SSL post

Here is a related answer

Purefan
  • 3,570
  • 19
  • 26
0

This is standard practice with next-gen firewalls that do application level inspection.

It's definitely feasible, but has some complications with certificate pinning. The endpoints would have to be configured to disable pinning support or the proxy would have to rewrite the pinning information as part of the resigning.

To be clear this can only work effectively with endpoints that are configured to intentionally trust your proxy, its certificates, and its pinning overrides.

Alain O'Dea
  • 1,635
  • 9
  • 13