+ Post New Thread
Results 1 to 7 of 7
How do you do....it? Thread, BYOD/Android certifcate substitution problem in Technical; Hi all, We have a particular problem with certain devices and our wireless BYOD setup. Essentially, users connect to an ...
  1. #1

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    217
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14

    BYOD/Android certifcate substitution problem

    Hi all,

    We have a particular problem with certain devices and our wireless BYOD setup.

    Essentially, users connect to an open network and authenticate via a captive portal (AD integrated) for Internet access.

    The connection is filtered and goes out via a firewall at layer 3/4. All's OK apart from when the user tries to access an SSL enabled website. The firewall decrypts the SSL session, re-establishes an SSL session replacing the real certificate with a SSL certificate generated on-the-fly by the firewall. The problem is the BYOD devices don't trust the certificate (can't be verified) as they don't have root certificate installed.

    Is there a simple way to resolve this issue? Is there any easy way to push out the root cert to user's devices? I wondered if we could place a copy of the root certificate on our website, that users could be instructed to download using the URL e.g. go to website.com/root.cert?

    I know one way is to copy the certificate to the SD card, but our users would find this too complicated.

    Any advise is much appreciated.

    Many Thanks,

    Bruce.

    PS The connection goes via Bloxx (filtering) and Watchguard (firewall) but I can't quite remember which is performing the SSL decryption/re-encryption.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,839
    Thank Post
    876
    Thanked 1,677 Times in 1,459 Posts
    Blog Entries
    12
    Rep Power
    444
    Not 100% sure how your solution works, but could you use a real world certificate for the job?

  3. #3
    bjohnny42's Avatar
    Join Date
    Dec 2007
    Posts
    88
    Thank Post
    6
    Thanked 5 Times in 5 Posts
    Rep Power
    14
    Just a quick thought but do you tell your users that you decript and intercept their SSL data? Are there warnings about banking using school facilities etc? It seems mad doing online banking in school but you never know with some users. This among other things.

    I think what you are talking about is discussed here. Installing anything on someones own device is fraught with difficulty and I don't see a way around it. Totally possible to install a cert on school own devices but fraught with difficulty on user owned devices. (Both logistically and legally)

    The Smoothwall Blog: 7 Ways To Deal With HTTPS traffic

  4. Thanks to bjohnny42 from:

    Bruce123 (7th January 2014)

  5. #4

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    217
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    Quote Originally Posted by bjohnny42 View Post
    Just a quick thought but do you tell your users that you decript and intercept their SSL data? Are there warnings about banking using school facilities etc? It seems mad doing online banking in school but you never know with some users. This among other things.

    I think what you are talking about is discussed here. Installing anything on someones own device is fraught with difficulty and I don't see a way around it. Totally possible to install a cert on school own devices but fraught with difficulty on user owned devices. (Both logistically and legally)

    The Smoothwall Blog: 7 Ways To Deal With HTTPS traffic
    This has been discussed and the staff/students are informed about it, I appreciate it's not ideal (I had the same thoughts on Internet banking myself) but it does enable us to filter on SSL enabled content.

    I think as you said for BYOD certificate SSL/TSL decryption/re-encryption doesn't seem practical.

    That may still leave some College managed Android devices.

    Thanks,

    Bruce.

  6. #5

    Join Date
    Oct 2008
    Location
    Leeds
    Posts
    217
    Thank Post
    21
    Thanked 17 Times in 17 Posts
    Rep Power
    14
    Quote Originally Posted by FN-GM View Post
    Not 100% sure how your solution works, but could you use a real world certificate for the job?
    In this scenario it wouldn't because a new certificate would need creating on-the-fly for each SSL site visited by the end users....

  7. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Smoothwall (by default) doesn't decrypt traffic to banking websites - there's a specific "unless it's a banking website" exclusion turned on as-shipped.

    I suspect other vendors do something similar.

  8. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,432
    Thank Post
    10
    Thanked 488 Times in 428 Posts
    Rep Power
    111
    Quote Originally Posted by Bruce123 View Post
    Is there a simple way to resolve this issue?
    No

    It's a MITM attack and devices should treat it as such.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 20
    Last Post: 11th September 2013, 05:02 PM
  2. Android wifi problems
    By ricki in forum Netbooks, PDA and Phones
    Replies: 7
    Last Post: 14th May 2012, 12:46 PM
  3. Problem with Google Play (Android Market) - Error 495?
    By mikkydoos in forum Educational IT Jobs
    Replies: 5
    Last Post: 14th March 2012, 01:19 PM
  4. Connecting to Exchange (SBS2003) by iPhone & Android. Strange problem.
    By Number6 in forum Netbooks, PDA and Phones
    Replies: 18
    Last Post: 9th October 2010, 04:17 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •