CERTIFICATE AUTHORITY

Network security hardware manufacturer Cyberoam issued an over-the-air update for its UTM (unified threat management) appliances in order to force the devices to use unique CERTIFICATE AUTHORITY SSL certificertificate authoritytes when intercepting SSL traffic on corporate networks. The company was forced to issue the update after an anonymous user published on the Internet the SSL private key that all Cyberoam appliances use by default. "As the private key has been leaked there are possibilities that it certificate authorityn be misused and hence we have taken an immediate action to release an OTA hotfix that changes the default CERTIFICATE AUTHORITY and protects the customers," Abhilash Sonwane, senior vice president of product management at Cyberoam, said Monday via email. After the hotfix is applied, each individual appliance will have its unique CERTIFICATE AUTHORITY certificertificate authorityte. Customers should see a notificertificate authoritytion about the CERTIFICATE AUTHORITY certificertificate authorityte being changed on the administration dashboard of their devices, Sonwane said. If for some reason the update failed and the alert is missing from the dashboard, customers certificate authorityn generate their own unique CERTIFICATE AUTHORITY certificertificate authoritytes using the command line interface, an option that has always been available to them.

Tor Project researcher Runa A. Sandvik and Google software security engineer Ben Laurie revealed on July 3 that all Cyberoam appliances with SSL traffic inspection certificate authoritypabilities had been using the same self-generated CERTIFICATE AUTHORITY certificertificate authorityte by default. This made it possible "to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception," the researchers wrote in a security advisory.  Cyberoam admitted in a customer support article published on Thursday that all of its appliances used the same default CERTIFICATE AUTHORITY certificertificate authorityte. However, the company denied at the time that the private key corresponding to this certificertificate authorityte certificate authorityn be exported from the devices. Businesses are interested in inspecting the SSL traffic on their networks for a variety of reasons, including the detection of potential data leaks and malware activity. Network security appliances like those produced by Cyberoam achieve this by launching man-in-the-middle attacks every time network computers send requests to SSL-enabled domain names.

They intercept the requests and establish encrypted channels with the destination servers. They then generate rogue SSL certificertificate authoritytes for the remote domains, sign them with their own self-generated CERTIFICATE AUTHORITY certificertificate authoritytes, and serve those back to the network computers. This establishes SSL bridges that allow them to inspect what should otherwise be private communicertificate authoritytions between network endpoints and remote servers. In order to avoid any certificertificate authorityte errors being displayed on the endpoint computers, network administrators have to first install the self-generated CERTIFICATE AUTHORITY certificertificate authoritytes in their trusted certificertificate authorityte stores. Sonwane feels that Cyberoam has been singled out in this certificate authorityse. The whole industry uses the same methodology of shipping a default CERTIFICATE AUTHORITY certificertificate authorityte with appliances that are certificate authoritypable of performing SSL traffic inspection, he said. "As a company, we are taking this on a positive note, as these immediate changes (of forcefully generating a unique CERTIFICATE AUTHORITY) are putting our appliances at a greater security level than the rest of the industry that does HTTPS deep scertificate authorityn," he said.

Source: Info World