Closed Bug 771860 Opened 13 years ago Closed 13 years ago

Block Cyberoam SSL CA

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gen, Unassigned)

References

(
URL
)

Details

Tor project developers have identified a "Cyberoam SSL CA" that is used in Cyberoam devices for deep packet inspection. This CA has a security flaw: "Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception." Mozilla should block this CA from Gecko/NSS to make sure that users are not MITM by this vector. Additional information here: https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372
There is a discussion of this in mozilla.dev.security. Dan Veditz points out: "They're not a CA. Businesses wishing to use the Cyberoam devices need to install the Cyberoam self-issued CA-cert on each computer on the network. Enterprises could either push the cert to everyone if they have that kind of tool, or require that workers "voluntarily" install it themselves (because otherwise you aren't able to reach the internet)."
http://blog.gerv.net/2012/07/mitm-boxes/ "From reading their online docs, this problem seems to also occur with similar devices from Sonicwall (PDF; page 2) and Fortigate. (Thanks to a commenter on the Tor blog for noticing this.) I suspect that many vendors use this insecure configuration by default. The Cyberoam default root certificate is not trusted by the Mozilla root store – Cyberoam is not a CA – and we do not plan to take action at this time. However, this is another important lesson in the unintended consequences of intentionally breaking the Internet’s security model. Messing with the Internet security infrastructure breaks things, in unexpected and risky ways. Don’t do it." Gerv
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.