3CX DLL-Sideloading attack: What you need to know
Hi,
I already put those as comments below that article https://community.sophos.com/intercept-x-endpoint/early-access-program/b/blog/posts/https-policy-changes
As I'm unsure, if it's gettig read there, I post it her ein the EAP forums again.
I notice 2 issues so far with the new SSL / TLS Scanning of Intercept-X where it is acting as Man-in-the-Middle SSL Scanner.
1. I cannot manage my comanies Sophos XG and SG firewalls with firefox using windows store certificates (security.enterprise_roots.enabled true) anymore. Other browsers are working. The firewalls Webadmin is equipped with commercial wildcard certificate for *.owndomain.abc
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
Excluding owndomain.abc as domain in Sophos Central SSL / TLS Settings is a workaround but we do not want it to be excluded.
When loading the firewall management website with IP https://123.123.123.123:4444 the same error appears with firefox.
2. Excluding Banking websites is not working - the Endpoint will still break SSL and re-encrypt the page as can be seen by the issueing CA. That's a no-go.
examples:
hsbc.co.uk Categorized URL - Finance/Banking Minimal Riskbankofindia.co.in Categorized URL - Finance/Banking Minimal Risk
skipping e.g. deutsche-bank.de (a german financial institute) with the URL Exclusion list, you can see, it is not scanning SSL:
Result is:
-------------------------
and now again removed the URL exclusion in Central:
scanned by Sophos
excluding IP addresses or IP subnet's in Central does not work - the client is ignoring the setting and keeps hijacking SSL connection.
from help:
does anyone care about the IP exclusions not working? What's the use of the EAP Forum then?
an update to "category exclusions" - that's now working. i interpreted the switches the opposite way. needs to be on/green to exclude.
This is my first week of running with SSL decryption turned on for my general work system and I'm seeing this same issue, and others.- Accessing internal system managements interfaces using IPs excluded from decryption fail with PR_CONNECT_RESET_ERROR (firefox) and ERR_CONNECTION_RESET (chrome)
- Related to IP exclusions, accessing internal system management interfaces using non-FQDN names are not properly excluded
- Various sites fail intermittently with the error SEC_ERROR_REUSED_ISSUER_AND_SERIAL, then work after 10-15 seconds
- Some pages simply fail to load, such as https://chromereleases.googleblog.com/ or https://www.brightcloud.com/tools/url-ip-lookup.php
In general, there will need to be some serious reliability improvements to this component for us to enable this functionality across our organization.
stoomart said:- Various sites fail intermittently with the error SEC_ERROR_REUSED_ISSUER_AND_SERIAL, then work after 10-15 seconds
thats usually with firefox open while Sophos endpoint updates are installed in the background. Typical is IPS. had this today again. then you need to close all browser processes and start a fresh session. EP module updates break their ability to do the man in the middle SSL scan for opened browsers.
I can open both of your links fine, though, reencrypred by Sophos Endpoint RSA Root CA
then it happens, that they're not able to update their program
LHerzog said:Various sites fail intermittently with the error SEC_ERROR_REUSED_ISSUER_AND_SERIAL, then work after 10-15 seconds
that also happens when your network connectivity changes. You move with your notebook to a different location, plug LAN cable etc. Need to close and reopen browser.
I certainly hope this gets fixed by Sophos soon. Myself and our IT Director are currently in the EAP testing the SSL Decrypt functionality on our workstations and we've been seeing the Firefox error with all of our organization's URLs (we use a wildcard cert.) We've since exempted *.ourdomain.edu and it seems to have taken care of it, with the exception of our firewall's management panel, which we connect to via IP address. As you mentioned, Sophos is not honoring IP address exemptions. Thankfully, with it only being us two using that, and neither of us using Firefox as a primary browser, it's not a big deal for now.
However, given this plus other issues I'm seeing as suggested topics at the right, this feature still needs a lot of work before it sees general rollout.