Thursday, June 24, 2021

Clarity on TLS 1.3 decryption in blog...

Hi, I'm in the middle of going through the process of implementing SSL decryption on Firepower and going through what I should/need to decrypt but have also learned that if a website is using TLS1.3 then I won't be able to decrypt the traffic regardless. Are there many sites anymore that use TLS1.2, if not then is there much point in SSL decryption anymore?

I came across this blog here: https://mikeguy.co.uk/posts/2018/11/tls-1.3-decryption-misconceptions/

It comes across as a really useful informative blog on it and I understood 99% of it, up until the part where he mentions....

"Firstly, passive out-of-band decryption is out. The fact all key-exchanges will use Diffie Hellman means that devices such as IPS etc. cannot passively decrypt traffic even with a copy of the private key. They only way they would be able to decrypt data would be for one end of the conversation to provide a copy of the actual session key somehow. Not something that really exists at the moment, but potentially something that could end up coming out the back of this in the end (e.g. some sort of agent on your endpoints sends it securely to the appliance in question).

Inline “Man in the middle” decryption (as implemented on many firewalls and proxies) however will still be entirely possible. As long as your internal clients trust the device’s CA certificate then it will still be able to spoof the certificates and sit in the middle just as it does for TLS 1.2 today."

The first paragraph makes sense to me but then he contradicts himself it comes across like when he says MITM decryption is still possible, well that's what an ISP/SSL next gen firewall does for the job and in the first he's saying it won't be able to do it because of the way TLS1.3 works now. So which one is it guys?

Also, just so I'm clear as well, TLS1.3 works via both ends creating 2 values and sharing the "shared key" value and keeping the private key to themselves, when each receive eachothers shared key, then using their own private keys they can come to the same shared master key and use that to encrypt and decrypt traffic and use it to pass through the symmetrical AES key used for actual encryption?



No comments:

Post a Comment