Cisco web security and HTTPS user ID's and PW's

alceryes3 · ‎12-23-2013

We are implementing web security with HTTPS filtering at the office. There's concern that this will allow usernames and passwords entered on *supposedly* secure sites to be recorded/viewed. Is this concern warranted?

TIA!

Vance Kwan · ‎12-23-2013

This shouldn't be a concern since even if the WSA were to decrypt the traffic, a packet capture taken from the WSA will still be encrypted. An attacker would need to get a hold of the private key for the HTTPS certificate that the WSA generates on the fly for that transaction. The keys are not stored on the appliance.

If an attacker had the ability the decrypt the capture, they would be able to do so even if the WSA was not inspecting that traffic. Decrypting the traffic on the WSA would not compromise the security of it.

-Vance

alceryes3 · ‎12-23-2013

Thanks Vance.

How about internally?

Do users that have the cert the WSA uses, and have full access to the firewall/appliance, have the ability to decrypt usernames and passwords being sent over HTTPS?

Vance Kwan · ‎12-23-2013

If anybody were to obtain the cert/private key that the WSA uses (the root CA), they would only be able to generate new certificates. They can create new certificates/keys used to identify a website, but it wouldn't be the same one that was used to encrypt the capture they are in posession of. Therefore, they wouldn't be able to decrypt the capture they have taken since they do not have the key that was used for that connection.

Even if they were to preemtively create a certificate/key, they wouldn't be able to inject this into the WSA to have them use it for a future session.

-Vance

alceryes3 · ‎12-26-2013

Vance,

How is the appliance able to filter 443 sites if it doesn't decrypt the packets? Sorry if I'm asking simple questions. I'm really a novice at Cisco.

Thanks!