2

How Deep packet inspection (DPI) tools prevent from certificates warnings through decrypt and re encrypting packets ?

Frd
  • 41
  • 1
  • 6

3 Answers3

7

These devices work as a man in the middle, that is the communication is no longer end-to-end. Because the SSL encryption is terminated at the DPI device and re-encrypted the client does not see any information of the original encryption, especially:

  • Ciphers and protocol versions might be different, that is the client does not notice if the original server used weak ciphers because the traffic between the client and the DPI solution is protected with a better cipher or protocol version. On the other hand it also allows a DPI solution to make sure that the connection to the server uses strong encryption no matter what the original client would do.
  • Certificate validation is done inside the DPI device and a new certificate will be created (signed by the DPI CA). This means the client will not see problems of the original certificate like a weak signature algorithm. On the other hand the client can not be tricked into accepting invalid certificates because the DPI device could enforce strong validation.

Unfortunately there were several cases in the past where DPI devices made the whole system less secure because the failed to properly validate certificates, used a common proxy CA between all devices of a single vendor or similar.

For more information about this topic I recommend to read the extensive article SSL/TLS Interception Proxies and Transitive Trust from 2012.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
3

A packet inspector can simply ignore certificate warnings.

What is important is that the information can be decrypted, and normal users don't get warnings on their browsers.

Create a root certificate and install on all certificate stores in all machines. Use a proxy like Charles to generate certificates and sign with your root cert.

http://www.charlesproxy.com/documentation/proxying/ssl-proxying/

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • It's not the appliance that's in question, it's the endpoints that don't see warnings the OP expects. – Alain O'Dea Nov 16 '15 at 18:44
  • 1
    @AlainO'Dea "Create a root certificate and install on all certificate stores in all machines." I think this explains it. – ThoriumBR Nov 16 '15 at 19:05
2

A deep packet inspector is configured with a decryption certificate often issued for CN * (all sites) or generates and signs certs with with an intermediate CA certificate that is itself signed and trusted by your CA certs supplied by ActiveDirectory or otherwise.

Systems behind such a decryption device are configured to trust its snooping activities via trusting the CA cert, intermediate cert, or global wildcard cert, and thus will not show warnings.

Alain O'Dea
  • 1,615
  • 9
  • 13