Seeing a ton of alerts from SSL Inspection

Options
itxnc
itxnc Posts: 98  Ally Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security
We're seeing a ton of alerts like this for this single IP with SSL Inspection:


That's a Facebook IP (in Ireland I believe). Facebook Messenger Desktop doesn't work unless we add graph.facebook.com and web.facebook.com to the exclude list because they hit this IP hard. Needless to say I'd MUCH rather Facebook be included in SSL Inspection...

Can you all see why this one IP is flagging. Is it a lack of a CA cert in the firmware or is their server misconfigured (can't imagine it is otherwise Chrome would go bonkers)

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    I think SSL inspection is not longer work for most of mobile Apps now. It only works for browser based application.
    Since more Apps implement "certificate pinning" to prevent MITM attacks.
    For example, 
    Since Android 7, if Apps implement certificate check API by level 24. Then the Apps will not trust user imported certificates but trust the certificates in system store only.
    Android Developers Blog: Changes to Trusted Certificate Authorities in Android Nougat (googleblog.com)

  • itxnc
    itxnc Posts: 98  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options
    Yeah - we don't even try SSL inspection on phones. We limit it to select desktops we know have the certificate installed properly. So these aren't coming from a phone. 

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)