Can someone please explain how Check Point enterprise firewalls are able to read SSL traffic? My boss briefly explained that our company's firewall, which is Check Point, is able to intercept SSL certificates and reissue them to the end user, thereby retaining a copy of the public key and inspecting all HTTPS and general SSL traffic.
In addition, if the company firewall is capable of this, is my ISP likely doing this as well?
Generally this is possible because the corporation controls the devices subject to monitoring, therefore they can instruct the devices to trust their own CA certificate.
To make the PC trust the gateway CA certificate:
- Export the CA certificate from the SmartDashboard (on the HTTPS Inspection window of the Security Gateway, or on the HTTPS Inspection > Gateways pane).
2 . Install the certificate on the user's PC:
Manually put the certificate file in the user's PC. Click the file and follow the wizard instructions to add the certificate to the trusted root certificates repository on client machines.
Use GPO or group policy to distribute the certificate to a large group of users. See the documentation for more details.
They can then intercept the TLS handshake and substitute the certificate with one they generated and signed themselves, and which your device will trust. They can then act as a man-in-the-middle, decrypting your traffic before sending it onto the legitimate destination.
is my ISP likely doing this as well?
No, your ISP isn't in a position where it has access to your devices, therefore they cannot install their own trusted CA certificate.
Additionally, some clients (eg. some mobile apps and some browsers in some circumstances) will "pin" certificates, meaning they will only accept a certificate signed by a particular CA. In that scenario they won't accept the certificates generated by your company.
