Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Newbie
    Join Date
    Mar 2017
    Location
    Virginia, USA
    Posts
    4

    Default The Security Impact of HTTPS Interception Report

    The U.S Department of Homeland Security US CERT issued advisory TA17-075A that HTTPS Interception Weakens TLS Security. TA17-075A

    There was an article posted about it in The Register.
    Are you undermining your web security by checking on it with the wrong tools?

    It was all because of this report, where they give Untangle NG Firewall a "C" grade because it advertises RC4 ciphers.
    The Security Impact of HTTPS Interception Report

    My questions is, how can I mitigate this and get my instance of Untangle up to an "A" grade? Is there something in the configuration that I can change to disable RC4 ciphers or will this be addressed in the next update?

    Thanks

  2. #2
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    I also think Untangle needs to directly respond to this, as it is directly referenced in the DHS bulletin.

  3. #3
    Master Untangler
    Join Date
    Aug 2016
    Posts
    236

    Default

    I am not saying it does not need to be address; however, there was only one product that got an "A" with everyone else getting a C or lower.

    It looks like this needs to be addressed from UTM products as a whole.
    Untangle 16.4.1 (Build: 16.4.1.20211102) (Kernel: 4.19.0-11-untangle-amd64)
    QOTOM-Q355G4
    1.6-2.7 GHz Intel I5 5250U, 128GB SSD mSATA, 8GB RAM DDR3L, 4xRJ-45 Intel I211AT 10/100/1000 Controller

  4. #4
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Definitely. I don 't see it as just an Untangle problem/issue. Rather, a number of the companies on the list need to either explain why the testing methodology is flawed, and not a big deal/incorrect, or make the code changes to improve it.

  5. #5
    Newbie
    Join Date
    Aug 2014
    Posts
    8

    Default

    All,
    Thank you for asking about this article. First I want to clarify that all SSL Inspection is technically man in the middle. SSL encryption of HTTP sites works under the premise that you are using the SSL Certificate to verify the identity of the website. So in order for Untangle to inspect HTTPS traffic, we have to insert ourselves into the middle of that communication.

    As for this article they are assuming that all SSL inspection is completed in the exact same manner by all devices on the market. They also didn't test the devices listed. I can tell you that certain assumptions do not apply to our product. But the ones that do apply to our product like certificate validation we provide. You can see the certificate validation settings under the SSL Inspector settings. You can even control what encryption level our product will support for SSL encrypted sessions.

    Also please keep in mind that SSL Inspection is not enabled by default and that a vast number of Untangle security features and filters do not require SSL Inspection.

    Let me know if you have any additional questions.
    JasonJoel likes this.

  6. #6
    Newbie
    Join Date
    Mar 2017
    Location
    Virginia, USA
    Posts
    4

    Default

    I have SSL inspection enabled on my Untangle Home Firewall. I want to make sure I have it configured correctly. If I go to the badsll website that US Department of Homeland Security reccomends in their report to test my firewall, I get errors. How do I mitigate that?

    https://badssl.com

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    TLDR: RC4 is not supported. (unless you are running a version from ~2015)


    The university study used a version of Untangle that is more than a year old. We have since released several major updates to our platform that proactively address all of the key security concerns. Our SSL Inspector application has been enhanced to allow granular control of each protocol used on both the client and server endpoints. Our current configuration enables only TLS by default, while allowing SSL to be manually enabled by users who need support for legacy applications. Our current release also uses the latest version of Java, which includes full support for TLS 1.2, and disables the deprecated RC4 cipher suites.

    From the paper:
    Untangle indicated that issues had already been addressed at the time of disclosure.

    If you would like to know if SSL Inspector support the RC4 cipher do this:
    1) Enable SSL Inspector (if it isn't already)
    2) Add a SSL Inspector rules for 'SSL: Certificate Subject' = *ssllabs* then "Inspect"
    3) Move this rule to the top and hit save
    4) Install the SSL cert on your local machine by visiting https://my-untangle-ip/cert
    5) visit https://www.ssllabs.com/ssltest/viewMyClient.html
    6) Under "Enabled Ciphers" look for RC4


    You can also run this command on your local Untangle to see if it allows RC4
    grep -A2 '^jdk.tls.disabledAlgorithms' /etc/java-8-openjdk/security/java.security


    This whole thing is a bit frustrating.
    If I "disclosed" that firefox supports RC4 and it turned out I was testing a version of firefox from 2015 - would you consider that misleading? What if I knew I was testing a very old version (from an era when everyone allowed RC4) and disabled auto-upgrades to keep it on this old version and I chose not to mention that?



    For full transparency here is our correspondence from the support case with Zakir (the papers first listed author)




    Quote Originally Posted by Collen
    Collen Knickerbocker
    Oct 06, 2016 03:00 pm
    Zakir,
    I do highly recommend re-running your tests. The version you tested is more than a year old and the problems you identified are no longer an issues in our current version 12.1.1. Below is our official public reply when you disclose the study results in November.


    The university study used a version of Untangle that is more than a year old. We have since released several major updates to our platform that proactively address all of the key security concerns. Our SSL Inspector application has been enhanced to allow granular control of each protocol used on both the client and server endpoints. Our current configuration enables only TLS by default, while allowing SSL to be manually enabled by users who need support for legacy applications. Our current release also uses the latest version of Java, which includes full support for TLS 1.2, and disables the deprecated RC4 cipher suites.


    Let me know if you have any additional questions.
    Best regards,


    Collen Knickerbocker
    Manager, Support Team

    Quote Originally Posted by Zakir
    Zakir Durumeric
    Oct 06, 2016 03:05 pm

    Thanks Collen. Would you be able to share the default cipher suites that are now included? Can you also confirm that Logjam has been patched?


    Zakir

    Quote Originally Posted by Collen
    Collen Knickerbocker
    Oct 06, 2016 03:13 pm
    Testing using the the provided websites with the current version (12.1.1) shows logjam is not an issue. RC4 is not supported in the current version (12.1.1).


    Hope this helps.
    Best regards,


    Collen Knickerbocker
    Manager, Support Team

    Quote Originally Posted by Zakir
    Zakir Durumeric
    Oct 06, 2016 03:16 pm

    Great, thank you!
    Last edited by dmorris; 03-21-2017 at 12:38 PM.
    degraw32 and Kyawa like this.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Newbie
    Join Date
    Mar 2017
    Location
    Virginia, USA
    Posts
    4

    Default

    Thanks for the detailed response dmorris! This makes me feel much better about my Untangle firewalls!

  9. #9
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Great response, and thank you.

    Sent from my Pixel XL using Tapatalk

  10. #10
    Newbie
    Join Date
    Mar 2017
    Location
    Virginia, USA
    Posts
    4

    Default

    Green is good and red is bad. Thanks Untangle for giving me all green. 2017-03-21.png
    degraw32 and theoak like this.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2