Clearing the SSL Inspection Confusion
At A10 Networks, we take your security very seriously. Because of that, it’s our duty to clear up some confusion put forth in a recent alert by US-CERT (Alert TA17-075A) regarding the use of SSL inspection.
There was no specific event that triggered the alert, but rather US-CERT issued it as a generic warning based on previously published information. The US-CERT alert referenced three sources: The Risks of SSL Inspection (a CERT/CC Blog); The Security Impact of HTTPS Interception a research paper; and https://badssl.com/, an SSL test website.
Each of those sources mentions vulnerabilities they claim can impact SSL inspection solutions, including A10 Thunder SSLi. The reports feature some inaccurate information that we’d like to take a moment to correct.
Here’s a breakdown of each paper mentioned in the US-CERT alert:
- “The Risks of SSL Inspection” attempts to explain how an SSL Inspection solution can weaken the security of a network. The author presents a list of several vulnerabilities that may be present in an SSL Inspection system. Many of the vulnerabilities listed in the report are not relevant to A10 SSL Insight (SSLi) solution and can be easily addressed with A10’s AppCentric Templates (see below).
- “The Security Impact of HTTPS Interception” explains how SSL inspection might introduce vulnerabilities that can affect overall security of a network. This paper focuses on the use of weak ciphers by certain SSL inspection solutions. The authors scored and graded different solutions. Weeks ago, A10 identified numerous inaccuracies in this paper that misrepresent Thunder SSLi. The researchers did not test Thunder SSLi; they tested a completely different product, an outdated version of vThunder ADC that was more than a year old. A10 engaged the researchers, who acknowledged some technical inaccuracies and oversights, but not all of them, including the proper product choice. The researchers did, however, make minor changes to the paper, mentioning the AppCentric Templates wizard and how it enables the proper configuration and application of stronger ciphers. A10 has posted a response to this specific research paper on our blog, which details how all of the authors’ concerns can be addressed by following a few simple steps.
- badssl.com is an HTTPS test website where users can verify the security level of their SSL inspection solutions and WAF.
Based on the information contained in those reports, here are A10’s recommended configuration best practices from SSLi that you can follow to ensure the best security:
AppCentric Templates is a wizard-based configuration tool that allows an organization to apply best practices to their SSL Insight solution, enabling them to secure the deployment with minimal efforts. Most of the subsequent points can be easily configured via AppCentric Templates.
Signing CA and Key
- Generate a signing CA/key from your company root CA with 2K key and SHA-256.
- Renew the signing CA/key periodically.
- Protect the private key with a non-trivial password.
TLS Version and Cipher Suites
- SSLv3 is vulnerable to the POODLE attack and is not secure. Ensure SSLv3 is disabled from both SSLi inside and SSLi outside.
- Limit cipher suites to the recommended ones below, and prefer PFS to non-PFS suites with higher priority values.
- TLS1_ECDHE_RSA_AES_128_SHA priority 10
- TLS1_ECDHE_RSA_AES_256_SHA priority 10
- TLS1_ECDHE_RSA_AES_128_SHA256 priority 10
- TLS1_ECDHE_RSA_AES_128_GCM_SHA256 priority 10
- TLS1_ECDHE_ECDSA_AES_128_GCM_SHA256 priority 10
- TLS1_ECDHE_ECDSA_AES_128_SHA256 priority 10
- TLS1_ECDHE_ECDSA_AES_256_GCM_SHA384 priority 10
- TLS1_ECDHE_ECDSA_AES_256_SHA priority 10
- If performance optimization is a must, you might opt in to prefer RSA key exchange for SSLi inside and PFS for SSLi outside.
Origin CA Validation
- Install the latest CA bundle from a trusted source for both SSLi inside and SSLi outside.
A10 includes a Mozilla CA bundle in ACOS.
- Enable server certificate validation for both SSLi inside and SSLi outside.
- For SSLi inside, enable OCSP and CRL validation for certificate revocation checks.
- The action for validation failure should be set to “DROP” for both SSLi inside and SSLi outside.
- If a self-signed certificate needs to be allowed, you have two choices:
- If the websites belong to your organization, you may opt in to bypass inspection; however, the preferred way is to have websites issued a regular cert from your root CA.
- Otherwise, create an alternate signing key with a CA that is not trusted by browsers and use it to sign origin self-signed certificates; browsers and API clients will be able to see at least a broken certificate chain. To make this work, you have to disable CA validation on SSLi outside.
SSL Inspection Policy
- Enable inspection of QUIC protocol (Google) by blocking UDP 80/443.
- Drop a connection if a certificate is not in cache instead of bypassing inspection.
- Disable fail-safe to prevent traffic from being bypassed when origin certificate fetch fails.
- Enable decryption of non-HTTP traffic.
- If a domain name is used for inspection bypass, use exact match or “ends_with” to match an apex domain name.
Certificate Pinned Websites
- Bypass inspection only if the websites are required for your business operation and they are positively confirmed that their certificates are pinned.
To get the best customer experience from our Thunder SSLi product, we highly recommend you use our AppCentric Templates wizard, which has been developed with a focus on A10’s recommended best practices that should be applied by security and network engineers while setting up the SSL Insight solution in a network.
By following the guidelines provided by A10, your organization can rest assured that your network is not just secure, but that leveraging SSL Insight enhances your security.
We welcome any questions you might have regarding the US-CERT alert and the references made in it.
For additional details on A10 Thunder SSLi, download this data sheet.
For a best practices guide for SSLi, please contact your A10 representative or A10’s Technical Assistance Center (TAC).