OpenVPN Interception

ms4561 · ‎09-03-2013

Hi

I would like to know if OpenVPN (SSL VPN) can be intercepted by by proxy appliances like Cisco Ironport & Bluecoat amongest others? I raise this question because comapnies are now interecpting HTTPS trafiic using these appliances with fake certficates. This allows the decypting of HTTPS without the enduser aware that it is happening.

I have not been able to find any reference on the net to this my question. My question to the Security experts are is OpenVPN susceptable to interception since it also relies certficiates? If OpenVPN can be intercepted what are the technical details of how this is done.

Thanks in advance.

Regards

Herbert Baerten · ‎09-07-2013

Hi ms4561

I don't know OpenVPN personally, but any application that uses SSL should verify that the certificate presented by the peer is valid and belongs to the peer.

E.g. when the Cisco Anyconnect client receives a fake cert from a proxy then it will either (depending on version and settings)

- deny the connection and inform the user why, or

- inform the user of the certificate mismatch and offer options to cancel the connection or continue anyway.

So "decrypting of HTTPS without the enduser aware" can only happen if the application is not doing proper certificate validation, or if the user just clicks continue without realizing what he is doing (a very real threat nowadays, unfortunately).

hth

Herbert