Cyberoam pushes fix for SSL Vulnerability

Deep packet inspection company Cyberoam has issued a hotfix to its devices, after earlier asserting that its technology “followed industry best practices for SSL bridging”.

The issue emerged when Tor Project researchers asserted that Cyberoam devices used the same skeleton certificate on all of its devices. This, the researchers argued, opened up dangerous possibilities for traffic interception.

Cyberoam has now issued an over-the-air fix which forces devices to generate unique CAs for each appliance. Devices that have implemented the fix should provide users with a message that the default CA certificate used in HTTPS scanning has been replaced – and that end users will need to re-import the certificate “for uninterrupted secure browsing”.

The network snooping security vendor says if the message is not displayed, the appliance “is still vulnerable” and users should change the default CA “using the CLI command meant for that purpose”.

In its previous response, Cyberoam had said that since all HTTPS scans take place in real time, there is no possibility of interception between different devices.

Cyberoam – Who are we?
Cyberoam UTM is a network security solution appliance vendor.

We secure our customers against internal, external, and blended threats. We are committed to our customers’ data confidentiality and integrity

HTTPS Deep Scan Inspection – The Universal Technology
HTTPS Deep Scan Inspection is driven by SSL Bridging Technology. In SSL Bridging, Cyberoam appliance provides self-signed certificate to the client whilst establishing a secure connection with the client and server. Hence, Cyberoam can now scan the SSL traffic for malwares. This is the only legitimately acceptable approach being followed by the network security vendors. TOR also acknowledges the same. A default certificate is shipped which remains the same across all the appliances.

Roles of Public and Private keys in SSL Bridging
Public and private key acts like lock and key mechanism where the lock (public key) is constant, but keys (private key) are variable.

Having said this, theoretically it is possible to decrypt SSL data using a conned private key. Cyberoam UTM does not allow import or export of the foresaid private key used for the SSL-Bridging technology.

Cyberoam – Not a Mass Surveillance Device but a Network Malware protection device
Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time. The possibility of data interception between any two Cyberoam appliances is hence nullified.

Cyberoam secures with Confidence
Having vindicated Cyberoam technology, we appreciate TOR for the awareness campaign. However we would like to assure all our customers’ that Cyberoam continues to secure you.

[Source -By Richard Chirgwin ]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s