We are implementing web security with HTTPS filtering at the office. There's concern that this will allow usernames and passwords entered on *supposedly* secure sites to be recorded/viewed. Is this concern warranted?
This shouldn't be a concern since even if the WSA were to decrypt the traffic, a packet capture taken from the WSA will still be encrypted. An attacker would need to get a hold of the private key for the HTTPS certificate that the WSA generates on the fly for that transaction. The keys are not stored on the appliance.
If an attacker had the ability the decrypt the capture, they would be able to do so even if the WSA was not inspecting that traffic. Decrypting the traffic on the WSA would not compromise the security of it.
If anybody were to obtain the cert/private key that the WSA uses (the root CA), they would only be able to generate new certificates. They can create new certificates/keys used to identify a website, but it wouldn't be the same one that was used to encrypt the capture they are in posession of. Therefore, they wouldn't be able to decrypt the capture they have taken since they do not have the key that was used for that connection.
Even if they were to preemtively create a certificate/key, they wouldn't be able to inject this into the WSA to have them use it for a future session.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :