The Security Impact of HTTPS Interception Report

[Keith H10]

The U.S Department of Homeland Security US CERT issued advisory TA17-075A that HTTPS Interception Weakens TLS Security. TA17-075A

There was an article posted about it in The Register.
Are you undermining your web security by checking on it with the wrong tools?

It was all because of this report, where they give Untangle NG Firewall a "C" grade because it advertises RC4 ciphers.
The Security Impact of HTTPS Interception Report

My questions is, how can I mitigate this and get my instance of Untangle up to an "A" grade? Is there something in the configuration that I can change to disable RC4 ciphers or will this be addressed in the next update?

Thanks

[JasonJoel]

I also think Untangle needs to directly respond to this, as it is directly referenced in the DHS bulletin.

[theoak]

I am not saying it does not need to be address; however, there was only one product that got an "A" with everyone else getting a C or lower.

It looks like this needs to be addressed from UTM products as a whole.

[JasonJoel]

Definitely. I don 't see it as just an Untangle problem/issue. Rather, a number of the companies on the list need to either explain why the testing methodology is flawed, and not a big deal/incorrect, or make the code changes to improve it.

[cknickerbocker]

All,
Thank you for asking about this article. First I want to clarify that all SSL Inspection is technically man in the middle. SSL encryption of HTTP sites works under the premise that you are using the SSL Certificate to verify the identity of the website. So in order for Untangle to inspect HTTPS traffic, we have to insert ourselves into the middle of that communication.

As for this article they are assuming that all SSL inspection is completed in the exact same manner by all devices on the market. They also didn't test the devices listed. I can tell you that certain assumptions do not apply to our product. But the ones that do apply to our product like certificate validation we provide. You can see the certificate validation settings under the SSL Inspector settings. You can even control what encryption level our product will support for SSL encrypted sessions.

Also please keep in mind that SSL Inspection is not enabled by default and that a vast number of Untangle security features and filters do not require SSL Inspection.

Let me know if you have any additional questions.

[Keith H10]

I have SSL inspection enabled on my Untangle Home Firewall. I want to make sure I have it configured correctly. If I go to the badsll website that US Department of Homeland Security reccomends in their report to test my firewall, I get errors. How do I mitigate that?

https://badssl.com

[dmorris]

TLDR: RC4 is not supported. (unless you are running a version from ~2015)

The university study used a version of Untangle that is more than a year old. We have since released several major updates to our platform that proactively address all of the key security concerns. Our SSL Inspector application has been enhanced to allow granular control of each protocol used on both the client and server endpoints. Our current configuration enables only TLS by default, while allowing SSL to be manually enabled by users who need support for legacy applications. Our current release also uses the latest version of Java, which includes full support for TLS 1.2, and disables the deprecated RC4 cipher suites.

From the paper:

Untangle indicated that issues had already been addressed at the time of disclosure.

If you would like to know if SSL Inspector support the RC4 cipher do this:
1) Enable SSL Inspector (if it isn't already)
2) Add a SSL Inspector rules for 'SSL: Certificate Subject' = *ssllabs* then "Inspect"
3) Move this rule to the top and hit save
4) Install the SSL cert on your local machine by visiting https://my-untangle-ip/cert
5) visit https://www.ssllabs.com/ssltest/viewMyClient.html
6) Under "Enabled Ciphers" look for RC4


You can also run this command on your local Untangle to see if it allows RC4
grep -A2 '^jdk.tls.disabledAlgorithms' /etc/java-8-openjdk/security/java.security


This whole thing is a bit frustrating.
If I "disclosed" that firefox supports RC4 and it turned out I was testing a version of firefox from 2015 - would you consider that misleading? What if I knew I was testing a very old version (from an era when everyone allowed RC4) and disabled auto-upgrades to keep it on this old version and I chose not to mention that?



For full transparency here is our correspondence from the support case with Zakir (the papers first listed author)

Collen Knickerbocker
Oct 06, 2016 03:00 pm
Zakir,
I do highly recommend re-running your tests. The version you tested is more than a year old and the problems you identified are no longer an issues in our current version 12.1.1. Below is our official public reply when you disclose the study results in November.


The university study used a version of Untangle that is more than a year old. We have since released several major updates to our platform that proactively address all of the key security concerns. Our SSL Inspector application has been enhanced to allow granular control of each protocol used on both the client and server endpoints. Our current configuration enables only TLS by default, while allowing SSL to be manually enabled by users who need support for legacy applications. Our current release also uses the latest version of Java, which includes full support for TLS 1.2, and disables the deprecated RC4 cipher suites.


Let me know if you have any additional questions.
Best regards,


Collen Knickerbocker
Manager, Support Team

Zakir Durumeric
Oct 06, 2016 03:05 pm

Thanks Collen. Would you be able to share the default cipher suites that are now included? Can you also confirm that Logjam has been patched?


Zakir

Collen Knickerbocker
Oct 06, 2016 03:13 pm
Testing using the the provided websites with the current version (12.1.1) shows logjam is not an issue. RC4 is not supported in the current version (12.1.1).


Hope this helps.
Best regards,


Collen Knickerbocker
Manager, Support Team

Zakir Durumeric
Oct 06, 2016 03:16 pm

Great, thank you!

[Keith H10]

Thanks for the detailed response dmorris! This makes me feel much better about my Untangle firewalls!

[JasonJoel]

Great response, and thank you.

Sent from my Pixel XL using Tapatalk

[Keith H10]

Green is good and red is bad. Thanks Untangle for giving me all green. 2017-03-21.png