Cyberoam deep packet inspection and certificates [LWN.net]

By Nathan Willis
July 11, 2012

The Tor Project recently discovered a security flaw in a line of commercial deep packet inspection (DPI) products; a flaw which an attacker could use to intercept the SSL connections of third-party users. The manufacturer of the product quickly pushed out an update, but DPI products from other vendors may still be affected.

Runa Sandvik wrote about the discovery on the Tor blog in a post dated July 3. According to that account, the discovery took place the week before, when a Tor user in Jordan contacted the project to report seeing a fake certificate for torproject.org, issued by Cyberoam. The project initially thought that a certificate authority (CA) might have been compromised (as in the DigiNotar incident in 2011), but upon investigation, that was not the case.

Cyberoam is a network security vendor that sells DPI devices. The user in Jordan was not witnessing an attack, but rather the evidence that the SSL connection to Tor had been intercepted by a Cyberoam DPI device. It is not clear from Sandvik's post whether the user was behind a corporate Cyberoam barrier (in which case he or she may have explicitly or implicitly agreed to the DPI interception) or was being monitored unwillingly. Whatever the circumstances, though, it was not the DPI filtering that constituted the security vulnerability.

CA certificate woes and default settings

Cyberoam's devices monitor SSL connections without generating browser errors by having the user install a Cyberoam CA certificate into the browser's trusted certificate store. Subsequently, the device intercepts SSL connections, issuing generated certificates (signed by the now-trusted Cyberoam CA certificate) for the requested sites and establishing the server-side connection on the other side of the intercept. This had happened to the user in Jordan, which was why he or she saw a Cyberoam-issued certificate for the torproject.org domain. The problem is that all Cyberoam devices ship with identical CA certificates and identical private keys. Consequently, Sandvik wrote, anyone can use a Cyberoam device to intercept traffic on any other Cyberoam-filtered network, or even extract the key and install it on other devices and use those to intercept traffic. In either case, the users would not detect that their traffic was being monitored by someone other than the approved authority.

Sandvik and Ben Laurie wrote a security advisory (CVE-2012-3372) about the issue and notified Cyberoam before publishing the blog post. Cyberoam wrote a post on its own blog detailing its response to the alert. According to Cyberoam's account, each affected device is capable of generating its own CA certificate, and the certificate shared by all devices was merely a "default." After Tor's alert, the company pushed out an update to all of its devices instructing administrators to generate a unique CA certificate, and it "forcefully generated unique keys for all the remaining appliances." The wording in that section is a bit ambiguous, but it appears that device administrators were encouraged to generate a new CA certificate locally, and those that did not do so quickly were updated to a unique certificate generated at Cyberoam, with further instructions on local key generation. Cyberoam (admirably) thanked Tor for the vulnerability report, and also said that the CA certificate update makes its DPI products significantly more secure than its competitors'.

For the update to take effect, users on a Cyberoam-monitored network will need to import the newly-generated CA certificate into their browser's trusted certificate store. Whether they do so willingly depends on whether they have consented to be monitored by the device. For its part, Tor expresses little sympathy for organizations using DPI to intercept users' connections, repeatedly calling them "victims" in the security alert text, and adding the footnote: "In the corporate setting, willing victims are often known as 'employees'. Unwilling victims should not, of course, install the CA certificate, nor should they click through certificate warnings." On the other hand, the alert calls Cyberoam's approach "the only legitimate way to use these devices," in contrast with monitoring schemes that require persuading a CA to issue fake certificates.

Security impact

Without knowing the details of the user who reported the issue initially, it is impossible to say whether or not Cyberoam devices are being used to monitor Internet users without their consent. There are legitimate uses for DPI, of course, such as protecting a corporate network. But the report hints at a different scenario, because the user reported that common web sites (such as Gmail and Twitter) showed the correct CA certificates — suggesting that torproject.org was being selectively targeted for interception.

In comments on the Tor blog, some readers questioned whether the case was one of consenting monitoring done at an employer, or unwilling surveillance. One anonymous reader commented that the Cyberoam devices in question only intercept SSL connections to check for malware, and that Tor had "raised a non-existing vulnerability." Sandvik replied that there were two separate issues at play: the use of the device to intercept torproject.org traffic , and the fact that all Cyberoam devices shipped with the same CA certificate.

Cyberoam's response should seal the second issue, assuming that future devices ship only with unique keys. A master CA certificate controlled by Cyberoam could still be used to sign the individual device keys. In that case, Cyberoam might sign a separate "intermediate" CA certificate for each individual device. Thus the users only need to install the original Cyberoam certificate in the browser's trust store, and the certificate trust chain still validates. If device administrators have to re-generate a new CA certificate for the device, they must have Cyberoam sign it, but they do not have to have every user install something new.

But as Sandvik asked in the comment thread, "How can you be sure that the device being used in this case is not doing DPI, but 'just' HTTPS scanning for antivirus?" Implicitly, the answer is "you can't," which is one of the fundamental justifications for Tor and similar privacy-protecting projects. How the user in Jordan came to be behind a Cyberoam scanning device is unknown, but if he or she agreed to have web traffic monitored, particularly to the point of manually installing a CA certificate in the browser, then there is little or nothing to prevent the monitoring party from engaging in all sorts of mischief. Although, in an interesting side note, several anonymous commenters on the Tor blog posted what they claim to be the Cyberoam devices' default private key. So even if few people learn a lesson about the dangers of consenting to traffic monitoring, perhaps a few others will learn a lesson about leaving the default security settings in place.

(Log in to post comments)

That's what dot1x is for

Posted Jul 12, 2012 14:39 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

This "everything is the web, I'll just lie until the user sees my web page and fills out the form" is really stupid. It's false laziness, and it has been getting progressively more, and more, and more broken over time.

There are ways to authenticate to an actual network before you use it, and there are deployed systems using them, but as usual the quick hack somebody threw together without really knowing what they're doing has somehow become the canonical "only way to do it" and soon there are otherwise intelligent people writing that there's "no way in the protocols" and it's "the only way" as you have done.

That's what dot1x is for

Posted Jul 12, 2012 15:41 UTC (Thu) by nim-nim (subscriber, #34454) [Link]

No it's not

dot1x is here to control access to the local network, the gateways dpi and captive portals are deployed in are between the local network and the exterior (you don't want to cut access of lab stations to the lab network and to internal webapps; you do want to check if someone that tries to access dangerous content from the lab network is authorized to).

That's what dot1x is for

Posted Jul 12, 2012 20:20 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Have you discussed your approach with anybody who actually knows what they're doing? Because you really should, and if you have control over anything worth worrying about you should do it immediately.

Not so long ago I met with our physical penetration contractor. Unlike you and me they spend a lot of time trying to use the Internet without being properly "authorized". They do all the expected things, they have the clothes and the gear, the patter and the looks. Do you know how many times they've been stopped in their tracks by network security? Never. Not once. Once in a while an employee won't hold open the door for the pretty young woman with her hands full. Every so often the front desk wants the guy with a high visibility jacket and a toolbox to present a work order signed by the right person. Sometimes rather than call the number from the official looking papers the security guard uses the phone book to get the real number. Some companies actually close the fire doors even though they're a convenient way to go outside for a smoke. But web-based "authentication"? Never a problem.

That's what dot1x is for

Posted Jul 13, 2012 8:33 UTC (Fri) by nim-nim (subscriber, #34454) [Link]

Just FYI:

1. this kind of gateway is not intended to be perfect, just to save lots of organisation time and resources by preventing users from f-up their work station and infecting the internal network by visiting malware sites, preventing them from wasting organisation time and leaking organisation data by spending their time on facebook and friends, preventing them from saturating access points by watching live hd video or other non-work-related heavy material from internal networks

2. it's not an absolute barrier to technophiles but they don't present the same risks and won't accidentally endanger their work tool by being absolutely clueless (I know how to bypass most of the checks thank you very much. That's not the point)

3. you need a way to let people with legitimate need and reasonable ability access dangerous web resources to avoid them wasting their time finding workarounds (so the filtering needs a way to identify users to elevate them)

4. there are many other ways to compromise a network and there is no economic justification to waste limited resources ironclading one entry point instead of trying to get them all at reasonable danger levels

5. I've checked with the correct ietf workgroup what I wrote. I guess that takes care of discussing with 'someone who actually knows what he's doing'

6. The way things fail today is 100% due to free software people being absolutely clueless about non-personal-network needs (either they work from home or they negotiated their own free-for-all internet access bubble at work and think it should be generalised to the clueless lamb that think it's less hassle to change their personal PC every few years rather than try to understand why it periodically crawls to a halt and starts showing porn web sites, and for whom facebook data is private).

7. The only setup that sort of works apart from DPI is to force everyone to use a windows system + internet explorer and use the AD to provide the network gateway auth credentials. Because Microsoft at least invested time learning the use-cases instead of treating this class of customers as idiots

That's what dot1x is for

Posted Jul 14, 2012 2:20 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

You've shifted the goal posts from "check those guests are actually authorized" to "preventing them [employees] from wasting organisation time"

What you have is a severely dysfunctional corporation. Network security is the least of your problems.

That's what dot1x is for

Posted Jul 14, 2012 9:37 UTC (Sat) by nim-nim (subscriber, #34454) [Link]

What I have is a real-world big organisation with enough people there will always be a bored clueless user somewhere who will mess things for himself and others unless limits are put in place.

Yes you don't have this kind of problems with a few hundred people you can always educate directly

That's what dot1x is for

Posted Jul 14, 2012 11:09 UTC (Sat) by hummassa (subscriber, #307) [Link]

You are sistematically ignoring the title of this subthread.

The "access control" thing has a solution, and it's not deep packet inspection, it's 802.1x.

The "traffic shaping" thing has a solution, and once your user is authenticated with 802.1x, you can identify their traffic and mark their packets and shape it so it does not mess things for himself and others.

If you have a real-world big organization, you shoudn't snoop people's bank account passwords (THAT is what your deep packet inspection is doing, anyway) so you don't incur in a HUGE liability (bank auditor inspecting user laptop: "no viruses or trojans, let's check the bank certificates... whoa, a fake one, not in my list... who emitted this? ah, a MITM box, whose box? aha! they snooped the password. hi, legal department, I found someone for you to sue." -- true story)

That's what dot1x is for

Posted Jul 14, 2012 11:54 UTC (Sat) by nim-nim (subscriber, #34454) [Link]

You are systematically ignoring the article you're commenting on.

I've already explained why 802.1x was useless for gateway authorisation. Putting it in the title thread does not make it any less useless.

Quoting Willy Tarreau (Linux 2.4 maintainer, haproxy author, IETF HTTPbis WG member):

> Despite our disgust for this fact, HTTP has become a de-facto standard
> transport protocol for many purposes. WebSocket is a proof of this, it was
> born to address the dirty bidirectional mechanisms that were appearing
> everywhere. A wide number of tools are able of using the HTTP CONNECT
> method over a proxy to reach a point on the net (for VPNs, SSH, etc...).
> HTTP has brought what TCP lacks : user authentication and bouncing over
> proxies even in non-routable environments.

[…]

> The problem is that right now the migration to HTTPS for many sites has
> caused increased need for HTTPS content analysis, and a large number of
> products are now used to spoof certificates and control everything. This
> is not acceptable (technically speaking, and from the user's privacy
> respect). We absolutely need the new HTTP standard to make it possible
> for end users to choose if their contents may be analysed by the proxy
> or not

Is that enough to make you understand that perhaps you don't understand all the use cases?

That's what dot1x is for

Posted Jul 14, 2012 12:20 UTC (Sat) by hummassa (subscriber, #307) [Link]

The text you quoted states clearly that "HTTPS content analysis [...] is not acceptable (technically speaking, and from the user's privacy respect)". So it's not me being dense.

It also states that "Despite our disgust for this fact, HTTP has become a de-facto standard transport protocol for many purposes". This means, in other words, that "a lot of people is using what they should not be using", i. e., there are other solutions to that.

Finally, you state that "perhaps you don't understand all the use cases?" Nope, I do, in fact, understand _all_ the use cases. And for all of them, a well-thought combination of network authentication (802.1x + RADIUS), traffic shaping, and maybe limited VPNs are the correct solution, in the correct network layers.

Maybe you can disprove me if you cite one use case (or more than one!) where my last statement is not true (*), or if you can explain to me why it is so.

(*) I will probably show you that you are wrong, and that dot1x is a better and simpler solution. But give your best shot, I don't mind being wrong.

That's what dot1x is for

Posted Jul 14, 2012 12:42 UTC (Sat) by nim-nim (subscriber, #34454) [Link]

The text I quoted clearly states 'people are doing stuff they should not because the current protocols are not adapted to what people need to do, thus those protocols need to change' and not 'people are doing stuff they should not and they should use 802.1x + RADIUS instead'.

Your "well-thought combination of network authentication (802.1x + RADIUS), traffic shaping, and maybe limited VPNs" is a deployment nightmare (and is getting worse the bigger your organisation is) which is why big orgs just use interception instead (which can be deployed easily and solves their problems even if it has ugly privacy side-effects).

But feel free to communicate your thoughts to the httpbis ietf workgroup.

(btw the current http/2 discussions would make an interesting lwn article topic)

That's what dot1x is for

Posted Jul 14, 2012 15:30 UTC (Sat) by hummassa (subscriber, #307) [Link]

> Your "well-thought combination of network authentication (802.1x + RADIUS), traffic shaping, and maybe limited VPNs" is a deployment nightmare (and is getting worse the bigger your organisation is) which is why big orgs just use interception instead (which can be deployed easily and solves their problems even if it has ugly privacy side-effects).

This does not parse to me. We just deployed your "nightmare" to an organization with 3000 users and 5000 devices in less than a week. They select WPA2Enterprise, write their login, their password and voilà. Wired connections are managed by a combination of MAC addresses and kerberos workstation authentications (any OSes where this would be complicated are just added as exceptions and bypass the authentication but they are mapped to a physical network point, so anything funky is easy to block). Each user/device combo has access to a specific routing and traffic shaping ruleset.

Is it more difficult than "plug MITM machine after the router and use the default settings"? Yes, it is. Is it much more difficult? No. Is it safer? YES. Do orgs as big as mine and bigger just use interception instead because it is easier? Yes, but mainly it is because they are lazy and haven't seen all the consequences.

As I told you, your problem is not just "ugly privacy side-effects", but "ugly liability side-effects because once your machine decrypted my encrypted communications between me and my bank or my government you can take a peek at it". It's not that you _will_ take a peek at it. Is that if passwords/keys/confidential records get copied, you will have the onus of proving you didn't copy them -- because, you know, you could.

> But feel free to communicate your thoughts to the httpbis ietf workgroup.
> (btw the current http/2 discussions would make an interesting lwn article topic)

Please link them!

One more thing: I asked for (at least one) use-case where https interception would be better than dot1x+radius... :-D

That's what dot1x is for

Posted Jul 14, 2012 15:48 UTC (Sat) by nim-nim (subscriber, #34454) [Link]

> This does not parse to me. We just deployed your "nightmare" to an
> organization with 3000 users and 5000 devices in less than a week

Do you realize that with the current economic crisis, many companies announce layoffs which are bigger than your whole organization size? (sometimes, for a single physical site)

3000 users is not even remotely in the big category

That's what dot1x is for

Posted Jul 14, 2012 17:53 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

I've tried all of the "enterprisey" stuff in my organization (around 10 developers with Linux/Windows computers). I can honestly say that Kerberos, LDAP and all other stuff is a piece of crap.

It requires a lot of setup, it breaks in non-trivial ways, it's not really completely compatible between implementations and usually doesn't actually work.

That's what dot1x is for

Posted Jul 15, 2012 12:21 UTC (Sun) by jubal (subscriber, #67202) [Link]

Do you routinely use nukes to take out anthills too?

That's what dot1x is for

Posted Jul 15, 2012 12:32 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

I prefer kinetic bombing with asteroids...

My opinion is that technologies should scale down as well as up. If a technology only works for companies with 30000000000 employees then it's a dead technology (sooner or later, usually sooner).

For example, Kerberos + LDAP promise seamless and transparent authentication throughout all the corporate services. Except that it doesn't work on iPads. Fail.

That's what dot1x is for

Posted Jul 15, 2012 13:06 UTC (Sun) by hummassa (subscriber, #307) [Link]

I don't know. There are things and technologies that have a "sweet spot" in size. Even if nim-nim thinks I am braindead because of the way we implemented our 5000-device network, I think the technology (dot1x, RADIUS, LDAP) worked (and has been working) really well for that network size. It took us a fortnight of research and training and less than a week of work to implement.

That's what dot1x is for

Posted Jul 15, 2012 13:15 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

And then you need one device which doesn't support WPA2 Enterprise and you have to start improvising. And you'll get such devices quite soon because vendors can't be bothered to implement support for 'enterprisey' stuff if it's no use for most of their consumers.

I know such a company. They've deployed Ethernet/WiFi authentication using IPSec throughout the company, with smart cards for desktop logins, etc. And then they had to make it work with Windows CE-based devices (they've paid me to do this, actually). Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.

That's what dot1x is for

Posted Jul 15, 2012 15:00 UTC (Sun) by hummassa (subscriber, #307) [Link]

> And then you need one device which doesn't support WPA2 Enterprise and you have to start improvising.

We already had plans in place for that (we have many such devices, especially those that do not belong to the organization). And the vendors who could not be bothered to implement suport for WPA2/Enterprise, we just don't buy from them.

> Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.

Sometimes, yes it is (or create a less-secured, WPA2/Personal or WPA1 protected network and go from there)... but if you plan right, you can isolate those cases...

That's what dot1x is for

Posted Jul 15, 2012 15:08 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

>We already had plans in place for that (we have many such devices, especially those that do not belong to the organization). And the vendors who could not be bothered to implement suport for WPA2/Enterprise, we just don't buy from them.
Yeah, tell that to execs with their shiny new toys.

Besides, once you implement the parallel infrastructure that actually works _better_ than your secured-down-to-the-wire IPSec network, people start asking: "Why have we even bothered with this ipsec crap?"

So that's why middlebox vendors make a killing selling various DPI tools to organizations. Sure, they violate all the possible RFCs and all the notions of protocol layering. But at the same time they actually work in RealLife(tm).

That's what dot1x is for

Posted Jul 15, 2012 15:31 UTC (Sun) by hummassa (subscriber, #307) [Link]

> Besides, once you implement the parallel infrastructure that actually works _better_ than your secured-down-to-the-wire IPSec network, people start asking: "Why have we even bothered with this ipsec crap?"

We deal with this limiting EXTREMELY the bandwidth and reliability of the secondary infrastructure. If you want to use a non-standard thing, pay the price.

> So that's why middlebox vendors make a killing selling various DPI tools to organizations. Sure, they violate all the possible RFCs and all the notions of protocol layering. But at the same time they actually work in RealLife(tm).

For a really wide definition of working...

That's what dot1x is for

Posted Jul 15, 2012 17:16 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

>We deal with this limiting EXTREMELY the bandwidth and reliability of the secondary infrastructure. If you want to use a non-standard thing, pay the price.

Nice. Increasing success by lowering expectations.

That's exactly why more and more people ditch all the 'standards compliant' crap and instead install something that is simple and stupid, but actually usable.

> For a really wide definition of working...
It gets stuff done. It doesn't annoy people. It's fairly easy to troubleshoot.

What more do you need?

That's what dot1x is for

Posted Jul 15, 2012 18:18 UTC (Sun) by hummassa (subscriber, #307) [Link]

> What more do you need?

No exposure to huge liabilities?

That's what dot1x is for

Posted Jul 15, 2012 12:59 UTC (Sun) by nix (subscriber, #2304) [Link]

Is that saying about Windows sysadmins versus Unix sysadmins no longer true, then?

(That Windows sysadmins treat their work as if it were home, with lashup hacks that fall apart all the time, while Unix sysadmins treat their home as if it were work, with high-end stuff like Kerberos all over the place hugely overspecified for their tiny setups. It's not true of Windows anymore, which is a lot less lashupy now that the Windows 9x line has died, but I certainly thought it was still true of a lot of Unix sysadmins.)

Liability

Posted Jul 16, 2012 11:37 UTC (Mon) by robbe (subscriber, #16131) [Link]

> If you have a real-world big organization, you shoudn't snoop people's bank
> account passwords[...]

Hereabouts organisations solve that problem by a combination of:
* forbidding private use of their Internet connection
* informing employees that their Internet traffic can be monitored, even HTTPS

The nicer companies allow exceptions (e.g. private surfing during breaks) but put the onus on their employees to inform them of websites that should never ever be snooped upon. A whitelist of sites that are not MITMed is a standard feature of these SSL scanner products.

I see a much bigger problem at the moment with mobile devices that can jump from unsecured (e.g. 3G) to a privileged (e.g. company WLAN) net in seconds ... sometimes without the user even noticing.