Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Blue Coat SSL Interception

Posted on 2011-02-22
4
Medium Priority
?
2,056 Views
Last Modified: 2012-05-11
Hi,

We have the Blue Coat appliance that allow for SSL interception.  Is anyone familiar with this? Does this require pushing a certificate out to every work station?  Thanks.
0
Comment
Question by:NYGiantsFan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 2000 total points
ID: 34952084
Yes, it does.

The bluecoat appliance has a fake "ca" certificate (which you can generate yourself if you wish, although it will happily self-generate) which you must push to all workstations or they will generate a "invalid certificate" error.

In an AD environment you can conveniently do this via group policy. on a non-ad environment (but one with login scripts) You can export the cert in the form of a registry key and use silent registry import (or a bit of vbs) to push it into registry keystores.

Note that the certificate will *still* be invalid for java applets and non-microsoft browsers (opera, firefox, chrome etc) as the windows keystore is used by ms products pretty much exclusively (so internet explorer or dotnet apps)
0
 

Author Comment

by:NYGiantsFan
ID: 34952280
Dave,

Thanks for your brilliance again!


The problem I am having is that people are saying that every user needs a seperate key that needs to be purchased from entrust. (Thus running into hundreds of thousands of dollars)

  I believe you can set up your own certificate authority and assign a private key to blue coat, then the public key will be sent to each brower.  That public certificate can be assigned via active directory.

Is this correct?

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 34953148
no, not even that complex.

The bluecoat requires a CA type key and certificate - you can generate this yourself, but the bluecoat comes with a tool to create a self-signed certificate if you dont' have a ca already (I think its basically just openssl.exe though).

I usually use xca, which has stood me in good stead for such things, so haven't tried the bundled tool.

during operation, the bluecoat visits the target site, then generates a matching certificate signed with its own CA key, and with its own public key replacing the original (so it can decrypt the traffic) which is sent to the client. that is then used as the primary element in a man-in-the-middle attack, similar to that performed by the "webscarab" program.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 2000 total points
ID: 34953464
This might help
https://kb.bluecoat.com/index?page=content&id=KB3700
step by step instructions on how to set up a bluecoat ssl proxy using the MS CA.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question