I work for a consulting company, and I have been implementing a tool from a secu
ID: 655602 • Letter: I
Question
I work for a consulting company, and I have been implementing a tool from a security vendor, which is a cloud proxy for all user traffic. It will perform malware scanning and filtering of all web traffic. It works by enforcing a proxy autoconfiguration file to redirect HTTP/HTTPS traffic to one of the vendor's global data centers. We, of course, need to deploy certificates to each workstation in order to proxy HTTPS traffic and perform the MITM for malware scanning.
My question: how is this different from Superfish installing a root cert? I've been reading about how the private key for Superfish is stored on the machine. I assume corporate MITM attacks do not have this same vulnerability, but how does the architecture work differently in a corporate environment?
Explanation / Answer
The main difference between Superfish and a Corporate Proxy is how the new SSL certificate is generated.
In the Superfish case, the CA certificate and the private key stands on the client computer, and the software generates a new SSL certificate with a key it have on itself. The traffic is intercepted locally, a new certificate is generated on the client, and sent to the browser. Anyone having access to debug tools can extract the certificate and the key, because they are both on the client computer.
In the Corporate Proxy case, the CA Certificate will be installed on every client computer, but the private key resides on the proxy server. If the server is have adequate protection, the key will not be compromised. The traffic is intercepted on the proxy server, and sent with a new certificate to the client. It's not possible to extract the private key on the client, because the key is only on the server.