- This email was sent to firstname.lastname@example.org by a Cyberoam pre-sales employee on July 6th, a few days before the private key for all devices was leaked on https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372#comment-16463:
- Hello Ms. Sandvick,
- We appreciate the work you are doing and your contribution to enhance security awareness. We are impressed by your dedication and passion towards network security and share a similar passion to our work.
- It might sound dichotomous but we took our time in replying to you as we understood the importance and urgency of your concerns. Some of the best brains in the organization were put together to understand the seriousness of the situation.
- After continuous brainstorming, we concluded that there exists a theoretical possibility (however remote) of extracting the private key. Given the physical access to the appliance and unlimited time, any static encryption algorithm can be cracked. In view of the above realization and the issue getting snowballed the way it is being now, we do not want our customers to be at risk however minimal it may be, at any time.
- Even though Cyberoam provides a mechanism to change the default CA on the appliance, the customers do not change the defaults due to unawareness in most cases. Keeping this reality of customer behavior in mind we are taking a proactive step to release a “Hotfix” on all appliances that would generate a unique CA for each Cyberoam unit. This will nullifying the risk of private key being leaked by any chance, be it through human error, or by willful hacking. Each appliance would now have its own unique private key.
- Having said that we would like to draw your attention to the fact that the HTTPS inspection feature in Cyberoam is not turned on by default, it requires manual administrative action to enable the inspection. In addition, the Cyberoam administrator has the ability to bypass malware scanning for privacy critical websites like banking so as not to leave any iota of doubt for privacy concerns in the end user’s mind.
- In addition, all modern browsers recognize a manually deployed CA and provide a visual notification. E.g. In Firefox the site information control in navigation toolbar turns blue instead of the normal green. The color coding being conspicuous, expects a level of technology maturity which is lacking in most of the end users.
- Another point to be noted is that ALL the HTTPS inspection products that we know of have a similar mechanism and ship with a common default CA across all appliances. This runs a similar risk as you pointed out in your advisory, and we are not the only vendor using such methodology.
- TOR blog contains a comment where a user from India has posted a long comment about multiple vendors and their certificates. This highlights that the same technology is being used in most of the security appliances. Saying this, we would request you two things.
- 1. Make sure that we are not unjustly singled out and taken to task
- 2. Investigate the prevalent industry practices by looking at all how all other products implement this and take a decision that would benefit the users, the security administrators and the industry
- Feel free to contact me for any questions you have in this regard.
RAW Paste Data