Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Cisco web security and HTTPS user ID's and PW's

We are implementing web security with HTTPS filtering at the office. There's concern that this will allow usernames and passwords entered on *supposedly* secure sites to be recorded/viewed. Is this concern warranted?

TIA!

4 REPLIES
Cisco Employee

Cisco web security and HTTPS user ID's and PW's

This shouldn't be a concern since even if the WSA were to decrypt the traffic, a packet capture taken from the WSA will still be encrypted.  An attacker would need to get a hold of the private key for the HTTPS certificate that the WSA generates on the fly for that transaction.  The keys are not stored on the appliance.

If an attacker had the ability the decrypt the capture, they would be able to do so even if the WSA was not inspecting that traffic.  Decrypting the traffic on the WSA would not compromise the security of it.

-Vance

New Member

Re: Cisco web security and HTTPS user ID's and PW's

Thanks Vance.

How about internally?

Do users that have the cert the WSA uses, and have full access to the firewall/appliance, have the ability to decrypt usernames and passwords being sent over HTTPS?

Cisco Employee

Cisco web security and HTTPS user ID's and PW's

If anybody were to obtain the cert/private key that the WSA uses (the root CA), they would only be able to generate new certificates.  They can create new certificates/keys used to identify a website, but it wouldn't be the same one that was used to encrypt the capture they are in posession of.  Therefore, they wouldn't be able to decrypt the capture they have taken since they do not have the key that was used for that connection.

Even if they were to preemtively create a certificate/key, they wouldn't be able to inject this into the WSA to have them use it for a future session.

-Vance

New Member

Re: Cisco web security and HTTPS user ID's and PW's

Vance,

How is the appliance able to filter 443 sites if it doesn't decrypt the packets? Sorry if I'm asking simple questions. I'm really a novice at Cisco.

Thanks!

279
Views
0
Helpful
4
Replies
CreatePlease login to create content