Firepower SSL Decryption

cisco8887 · ‎07-08-2020

Hi,

Are there any ways of having publicly trusted CA sub ordinate CA installed on Firepower so not all machines have to trust the certificate which is re signing the ssl decrypt?

Say if you get a certificate signed by godaddy, when you do ssl decrypt then your intermediate / your CA issued by go daddy is not trusted by end point unless you do so. This means you will get a error not being able to verify the CA identity .

For instance countries with censorship, how do they do this and no one notices?

Thanks

Rob Ingram · ‎07-08-2020

Hi,

SSL decryption is basically a Man In The Middle (MITM) attack, so unfortunately no public CA will give you a sub-ordinate certificate in order to spoof a website.

HTH

cisco8887 · ‎07-08-2020

I think some CAs trusted by all browsers used to do this if net worth was more than 5 million dollors

I wonder how countries with extreme censorship do it

Marvin Rhoads · ‎07-08-2020

Some countries have been known to try to require all their citizens to install a country-issued certificate to allow for inspection of all outgoing traffic. That has met with backlash and international condemnation since the sovereignty issues is not clear cut.

Others just put massive middle box (firewalls, content inspection etc.) infrastructure to block anything they deem inappropriate or illegal. It often ends up blocking some legitimate uses inadvertently but they are willing to do so in the course of exercising their authority.