cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1544
Views
0
Helpful
3
Replies

Firepower SSL Decryption

cisco8887
Level 2
Level 2

Hi, 

 

Are there any ways of having publicly trusted CA sub ordinate CA installed on Firepower so not all machines have to trust the certificate which is re signing the ssl decrypt?

 

Say if you get a certificate signed by godaddy, when you do ssl decrypt then your intermediate / your CA issued by go daddy is not trusted by end point unless you do so. This means you will get a error not being able to verify the CA identity .

 

For instance countries with censorship, how do they do this and no one notices?

 

Thanks

3 Replies 3

Hi,

SSL decryption is basically a Man In The Middle (MITM) attack, so unfortunately no public CA will give you a sub-ordinate certificate in order to spoof a website.

 

HTH

I think some CAs trusted by all browsers used to do this if net worth was more than 5 million dollors

 

I wonder how countries with extreme censorship do it

Some countries have been known to try to require all their citizens to install a country-issued certificate to allow for inspection of all outgoing traffic. That has met with backlash and international condemnation since the sovereignty issues is not clear cut.

Others just put massive middle box (firewalls, content inspection etc.) infrastructure to block anything they deem inappropriate or illegal. It often ends up blocking some legitimate uses inadvertently but they are willing to do so in the course of exercising their authority.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: