 All right, everybody. Thank you everybody very much for your patience. I'm Andrew Brand. I'm the director of threat research at Symantec and obviously not as much of a techie as I'd hoped I would be today. So we're going to be talking a little bit about the SSL visibility appliance. And unfortunately, although I have a demo unit here behind this projector, there is no wired internet drop in the crypto and privacy village. So it is on and it is working. It's just not hooked up to anything. We can do a little bit of a demo with it at the end if there's a little bit of time. There are instructions here for like how to do the testing if you really wanted to do the testing, but it's not actually connected to any kind of a live internet service. So while you can connect to it and you can download these certs that I've generated by it, you cannot really use them for anything. So just don't bother. All right, so I'm going to talk a little bit about what the former blue coat now all part of the big happy Symantec family is and the division that I work in. I'm going to talk a little bit about how this gizmo works and what it's meant to do. Also what it can't do. And because I use this in my lab with a lot of different types of devices and a lot of different types of operating systems, I have some experience in what is able to get through there and be decrypted and what the device basically causes everything to kind of choke on. Right, so a lot of what I'm going to show you is going to be UI from the visibility appliance itself which it's not very pretty, but there is also a component of this stack that I work with that's called security analytics and that's more important for me to sort of explain from the beginning because a lot of the packets that I look at come out of SA. So the SSL visibility appliance essentially is this man in the middle decryptor that you would put between your WAN and your LAN and you might use it for sort of two purposes. You might use it to man in the middle internal traffic that's outbound or external traffic that's coming into a service that's got like SSL or TDS on the host. When those packets come through the SSLV it does it if it can do its decryption it will spew them out on a separate port which you can then capture with a span or a tap port and then that stuff gets ingested into security analytics and what that does is records everything indexes all the metadata out of those packets and then re-indexes that index. So the searching is really fast and you get something that's essentially a SIM-like interface but when you drill down to like the nittiest of the nitty gritty you can get down to the packet level you can reconstruct files from various types of applications that have been observed communicating over your network so HTTP email a bunch of different types of protocols can be basically decrypted and then reconstructed into a essentially you can look like you're looking over the shoulder of the machine that was doing the browsing or making the connections. So what SA can do is it basically it can inspect tons and tons of traffic it's meant for high speed sort of enterprise networks sort of as a component of that it uses a lot of storage you can imagine you just do the math on how fast the network is what its typical load is and the number of days of storage you want to be able to go back retrospectively and do analysis on and you can imagine we're talking you know we're in some cases into the PETA and exabyte amount of storage for some applications. I run it on a virtual appliance because my network is relatively slow and with a couple of gigs of packet data plus the metadata I'm usually able to go back three or four months and reconstruct stuff pretty far back. So and I've already talked about what SSL visibility is it's it really is just a it's it's basically custom silicon dedicated to do the math that's involved in SSL decryption. All right so these are the sort of the two ways that we would use SSLV most of the time that I'm using it in my lab I am using it in the sort of outbound inspection sort of variety which is where I've got the thing watching traffic it's inside the land but it's just inside the sort of the perimeter before everything else and everything that goes outbound is going through this thing and when it can be inspected it is inspected and when it causes problems you can basically you can tell it to do one of two things you can either have it reject that connection and basically kill it in which case the application will throw errors if it's obviously not able to complete its communication or you can just tell the box if you identify this this protocol or this particular service or this domain name or these IP ranges you can say just ignore for the purposes of doing inspection these these things that you have set up and then it will ignore that and everything will go through but you won't get the decrypted SSL either all right so when when you first connect into the SSLV the first thing that that you see is that it has its own self-signed cert um obviously because you you know all of these appliances are using SSL and that's pretty normal um the cert looks like that it actually has a common name of SSL uh NG UI um and it's generated the first time you use the app so this is the dashboard of the SSLV um it has a that's the prettiest picture that you're ever going to see in the UI and um all it does it shows you a sort of representation visually of the rack and the ports that are on the front of it and yeah it's the one device that I have in my stack where the ports are on the front everything else is on the back so it's kind of a pain um and it will tell you basically how you're using it um in this case I'm using it in something called active f-line uh active inline FTN mode uh and that is where uh all sessions are basically being intercepted when they can be decrypted it is doing so and when they cannot it it essentially lets them go through on uh without trying to decrypt them uh just to allow things to work um sorry that that's so tiny but this is just a picture of the user interface of the SSLV session log and what's important about this is that it will tell you uh for example what Cypher Suite the device is uh is trying to decrypt um if that type of uh Cypher Suite is supported by the device not all of them are but many of them are um and then whether or not it was able to successfully decrypt it when it uh is not able to decrypt it and the device allows the connection to go through anyway so it still works uh that is called a cut through and and um it's kind of an interesting thing uh the one of the ways that the device works is that you have you know clearly you have one ethernet is for in and one is for out and then there is a second pair of ports it is literally it is a physical loop back where you have to have the tiniest cable in the world and it's just a loop between them and the reason for that is the the device will programmatically decide when something is supposed to go through and it will literally shunt it through this other thing which is just a loop to get it around all of the uh the silicon inside um so to use it you basically generate a cert and the cert is generated essentially the device acts as like a certificate authority so uh it will generate a cert for you you can add all of the you know custom information that you would want into the certificate uh this is not a uh you know a valid cert that you would be able to then put up on your uh your you know HTTPS server so um it is it is literally uh it's only purpose is to do the re-signing um so the the secret key remains within uh the the device and then you can export the uh the sort of the public side of the cert which you can then add into the certificate store of any of your devices and when when that cert is in the cert store the re-signing happens essentially transparently and automatically um there's a huge number of protocols that it supports that's just uh some screenshots of some of the the UI drop downs that show you all the different options that you can have when you generate your cert right and then um you know here's the the exported cert it shows like you can create one like this one that says I call this my defcon certificate and uh it will export it as a PEM or a CRT or CER or DER and then you can you know import it into a variety of different devices. Alright and then here's just the uh the re- uh re-signing authorities are basically like you know you can decide under certain circumstances when such and such Cypher suite is being used use this certificate authority or else use this other one and it's a way of basically you know you can use it for a bunch of different reasons but it's a primarily a way of maintaining the same security level of the traffic on your internal network so you're not basically using a weakened Cypher or something that's easy to crack inside the building because that would be you know talk about crunchy outside and soft and chewy on the inside it would just make things worse for a lot of uh a lot of things. Right and then once you have your um once you have your cert set up and they've been installed on your devices then you have to create rule sets where you basically say under these circumstances you're gonna do the decrypting right and so you go to this rule policies menu go to rule sets and you kind of add in your rule and in this case the rule sets that I've created are you know basically uh look at everything and then if you see these domain names exclude them if you see these IP addresses which happen to be internal devices exclude them if you see these IP addresses that belong to you know Netflix's uh uh you know content management system exclude them because Netflix for some reason doesn't like to have all of their stuff decrypted um and then you know and so on and so forth and then the very last step is do the decryption. Right um so one of the cool features that is in the sort of newer version of this product is that um it pulls down and uh ties in with the categories that that blue code has created for it's uh it's web categorization service that sort of underlies a lot of their other products that um most people know the blue code proxy is is the big enterprise product that a lot of people have and they have these categories where administrators can set up policies where they don't want employees to visit porn sites on the job I mean shocking right but like you might not want to block that and so in this case you can actually use those same categories and you can say uh I want to decrypt everything except stuff that's tied to banking and financial for example and there thereby you can exclude the stuff that would basically make you you know would force you to violate um uh you know PCI DSS standards for example and you know would you accidentally be you know leaking tons of data across your network decrypted that you wouldn't want to to be leaked um so yeah anyway that's and I and the team I work for is the team that creates that and maintains that reputation service there it's called the global information network um once you've done all that then you you just kind of you know pop it in and there's a little UI that says you know plug this into port one and two plug this into port five and six and then everything else the tap is coming out of the other ports right more more little choosers that show you different combinations of things you can do um so one of the things that it can do is also if if the because it's an inline box it's a it's a bump in the wire uh you would imagine that if there were a physical failure like a power outage you your network might go down if this box wasn't turned on so there's this concept of uh fail to network and that that's one of the other reasons why there's that little loop back physical wire in there is that it will it will actually physically click over you'll hear a loud click when the power goes out and then that just means that it acts as a bump in the wire with nothing in between it so your network continues running even though the powers out right here's um some of the rules in the failure modes uh that it can experience and what you can choose to do with it basically you can either choose to reject which means kill the connection or you can tell it to cut through which means let it go and it's not decrypting anything right um and we've already talked about this you saw that graphic so I'm not going to repeat all that um it does not get used in a couple of different circumstances so um last year I gave this talk and and uh it was there's been some misunderstanding about like the purpose of this device and it is not something while it is suitable for enterprise networks where you may have a uh couple to ten thousand machines on a network um at the highest end uh in sort of like anything bigger than that you're going to run into real problems where the CPU load is just going to be too high for the device and it's going to start dropping sessions so this is not a box that you can plug in on your country's WAN connection to the rest of the internet and basically decrypt everything that everyone is doing the other thing that you can't do is you can't decrypt stuff and have it not be really obvious everything that gets decrypted if it doesn't have your CA cert in your cert store is basically going to cause errors to pop up in whatever application you use if you're using the browser you'll see those messages that pop up that say uh there's something hinky about this HTTPS connection uh are you sure you want to connect to it and so um if you don't have that CA cert installed it's going to throw a lot of those errors and and there are going to be devices and and applications that don't connect at all. Um right and that's that's basically what I was saying is that you know none of this stuff is going to work if you don't have the CA cert on it. Um when you do not when you do install CA certs uh on uh laptop there isn't necessarily a warning message to let you know that stuff is going to be decryptable and and in some cases we've seen well they're kind of shoddy uh crimeware uh applications that have tried to convince people to install CA certs onto their uh device so that the uh criminals malware can actually uh decrypt the SSL for the criminal um and other than that I haven't seen a whole lot of criminal use of this type of thing but when you do install the cert in other devices like in Android you get these persistent uh alerts that never go away the entire time the cert is installed. So the only way to get these messages that say things like network may be monitored by an uh you know a known third party uh you're going to see that message until you actually delete those certs completely out of the store. Alright so what's better in the past year? Um I gave a talk similar to this last year and the talk that I gave was about how um how few applications for mobile devices specifically were actually using something called certificate pinning where they they essentially have a CA cert built into the app and if that cert does not match identically to what it's getting you know in terms of the handshake from the server the connection simply doesn't go through and uh a year ago there were a few apps that um essentially were you know very very secure and would never allow that to go through but a lot of other stuff did. Some of the apps that worked last year were um that that securely connected and had pin certs where things like um like the Twitter app like signal the uh SMS replacement app and you know other kinds of security tools that you can imagine would would want to have pin certs um I believe also Facebook uh supported pinning and a few games that do uh uh over HTTPS uh some command and control for the game. Um there's been a lot of improvements over the past year so I I kind of uh I gave a different talk last year uh about a game that I use that is a uh location based game called Ingress and how um it is it has been and is continuing to be heavily abused by people who do man in the middle SSL interception to decrypt all of the command and control stuff and messaging that's in the game and that's being used to essentially louse up that game and cheat and um I'm sad to say that that that app has not improved although um the other game that that same company Niantic makes Pokemon Go in a release that happened sometime in the last fall uh they did start pinning their certs so while it is still possible to man in the middle uh Ingress you cannot man in the middle Pokemon Go to the best of my knowledge unless you do some some hacking of the app itself. Um right and I mentioned that like basically when it's when a specific pin that it's not going to work I mean it's really not going to work and and and a lot of times um the application developers when they when they create these apps that have pins in them uh they're they're doing it so that they can ensure privacy of the connection but they're not necessarily building in the the error uh responses to understand and explain to the end user why the thing isn't connecting it will just say like tweets cannot be received at this time so in some cases you'll get these messages where it says it just couldn't connect and in others it will say it looks like there's SSL interception going on I'm definitely not going to connect but a lot of times the the error messages are pretty confusing. Um so let me show you some of the other stuff that's popped out uh just in doing a little bit of looking at devices so um so what I haven't explained is sort of in in my day job uh I I run this lab it's full of IOT devices it's full of Android phones that are running malware uh at any given time uh I also have bare metal machines virtual machines and some sandboxes that are running malware and the purpose of doing all of this decryption and and recording of network traffic is so that we in the gym team can observe the command and control traffic of malware know where it's talking to how it communicates and write rules for various tools to either be able to uh uh notice when those kinds of connections are happening or to be able to block them by by address or or sometimes uh to narrow it down to like the URI path uh that that a command and control connection will be happening on so um so I do have a demo um that was ready to go on my other laptop and hopefully I if if the person who loaned me their laptop doesn't mind I might connect it to my demo network and see if I can do that at the end um because I there's there is some malware that uses TLS to do its command and control uh one of the the primary ones that I'm seeing right now is a a bot that's that emerged in the last few months called trick bot which is starting to kind of gain traction as a uh a main rat that people are are distributing through a lot of different methods but mainly through spam and through uh uh uh exploit kits and it's a it's an interesting one because it's it's also one of the more sophisticated and modular pieces of malware that I've seen it it basically is a a core engine for the malicious activity uh and it brings down modules from different command and control servers so that it can um uh it can run those modules as DLLs and kind of hook into different features on whatever machine it happens to have infected. So a couple of the weird things that have popped up recently so um like looking in these logs uh I will sometimes just kind of skim through them and there's there's actually a filter thing that will trigger like just show you all the errors that appear in the SSL session logs and so I like to look through those and just see sort of what broke recently and I I wanted to call a few of these out so so just last week I was looking at the you know a couple of these things and I had a machine I had a phone that was attached to one of my uh uh nodes in my network that is being you know go routes through this and the phone was doing some just normal uh activity uh but this error popped up um and it's the one that's highlighted here and it was it was a big log line so I split it in half but basically it's the very end uh you're near the end you can see it says expired so the the cert the cert in this case when this communication happened it allowed the communication to go through um it did not uh it was not able to decrypt it and it did report that the cert uh was expired so I went back in and I looked at you could see that the uh the the origin IP of this was uh 54 208 220 185 so I went into security analytics and I pulled out the undecrypted um flow that contained that session with the SSL stuff and then I used a tool called network miner to just like dump out the uh the cert and take a look at that so when I did that um I found that there was this cert for something called parse dot com and parse is is one of many uh different kinds of sort of mobile uh uh it's instrumentation that developers will install third party instrumentation package that they use to kind of keep track of how their app is behaving and it receives telemetry over HTTPS as well and their cert expired it it's hard to see but it says like it expired on June 29th so so they were still running on an expired cert and and I wasn't able to decrypt it um uh because of that um the uh is one of the other things that I have uh like I like I mentioned a lot of IOT devices and we have a couple of Samsung smart TVs different models uh connected to that network um in general the uh the Samsung is an interesting device because uh it I don't it how many people just show of hands how many people have a Samsung smart TV so just a few but you know more than more than a couple um interesting device it has um its own sort of version of the of an operating system it has its own antivirus built into it as well you can tell the thing to scan for files within the uh the operating system uh uh file system and it uh it has ethernet ports and can connect over a wired or wireless connection and obviously you would then you know connect it to the network and it has you know all your apps for you know Netflix or Hulu or Amazon whatever your video streaming service of choice is um so when you want to watch HBO go you just go into the TV and you pivot over to the streaming service that you want and it launches an app within the TV um and those apps are all downloaded through a cloud service that Samsung operates um the TV also does things like it scans the whole network oh every four times every second for Samsung uh like mobile devices that can connect to the TV um it generates a ton of noise and actually it's I I would say it's one of the reasons why when you buy a smart TV it's always good to connect it to a power strip and when you turn it off turn it off on the power strip so that it's not just sitting there because I've seen my TV stay active for three four hours after you turn it off and it continues scanning looking for like hey is anyone want to connect and like share videos on the screen um so it's pretty obnoxious and and in addition to all of that noise uh the TV itself has authentication with uh a Samsung account that you can set up uh to do technical support and also to save your preferences there's a browser built into the TV so if you want to browse the internet um you can save your bookmarks in your Samsung account and then when you log into your Samsung account on a different TV or a different device basically you can get all that stuff back um so what we've got here is logs from uh the SSLV showing that um the TV was going to a bunch of different websites including uh Samsung cloud solution dot net and Samsung ac acr dot com uh all of these Samsung apps that are in the TV themselves uh with the exception of its wifi connection check uh they all of them basically fail on this because they're using a pin cert that's good because the one that that's connecting to um Samsung acr dot com uh is is connecting to something called log ingestion dot Samsung acr dot com um the the bad news is that um all of those domains have invalid issuers so so there's a cert that was issued to these different TV connection domains that isn't valid and when I pulled them out I looked at them and yeah they're all self signed cert so apparently Samsung operates its own internal certificate authority and they generate these certs for their devices which then get flashed into the firmware for the TVs and the the the mobile phones and everything else and the cert has a you know valid validity up until the end of the year 2043 so I cannot guarantee that your TV will still work in 2044 uh I suspect it will probably fail a lot sooner than that but that that's interesting to me to find out that like the big TV manufacturers are basically issuing self signed certs for for you know the hundreds of thousands of TVs and things that they sell every year um another thing that I was playing with was um uh my son's Nintendo 3DS uh I do occasionally confiscate for like research purposes and play a little bit of Pokemon XY but um besides that um the the device is actually really interesting because it can do uh peer to peer networking over wifi and uh you know so you can play basically uh uh collaborative games together with your buddies um it also has its own built in browser and you can and it will it it kind of uh tries as best it can to generate a mobile version of things like Gmail so you can read your Gmail and stuff through the browser on the 3DS I wouldn't recommend it it's not the best way to read uh your email um and when you go to the browser and you have uh SSL interception on it you can see here it pops up a warning message that asks you to basically bypass the the um security features in the SSL are you sure you want to do this it's essentially the same as what you would get in Chrome um so in the browser of the 3DS you can manually bypass this error message and and I don't know show of hands how many people think ten year olds understand what the context of this kind of a dialogue box is exactly so everybody when your child is a a straight A student from my book that one guy in the back who raised his hand so um so most kids are going to just hit allow because they don't understand what's going to happen and um I believe a lot of adults do that too when they see this kind of a message so you can bypass and you can decrypt the SSL from the browser um what you can't do without doing some serious modifications to the 3DS is you cannot decrypt any of the other HTTPS communications that the device does so among those things uh there is a Nintendo account where you can create your me uh which is a little cartoony character that represents you in all the games uh and you can share your me through your Nintendo account with your buddies so that when they play uh co-op with you the your me shows up on their device their me shows up on your device um so none of that uh me me gallery stuff works uh if you have interception turned on it just can't connect uh the other thing that fails is um uh there is a online store where you can buy the games and uh essentially download them to the device to the SD card or or into the device's memory um this store app is also pinned so that when you have interception turned on you're not going to be able to buy a game and download it um and then the third thing that's kind of an issue is that um all of the domains that are being used for Nintendo um are also invalid issuers so here I've got some of the screen on this one at the very bottom uh it's the C dot shop dot Nintendo Wi-Fi dot net uh has an invalid issuer and then on these two screens there's uh something called uh NASC dot Nintendo Wi-Fi dot net and account dot Nintendo dot net and all of them are are are invalid issuers and again it's um it comes down to Nintendo themselves just like Samsung are operating their own certificate authority and they're basically self signing certs and throwing them into these devices um you have to wonder about these large electronic manufacturers I mean I think that they probably have 50 bucks a year to throw at buying some certs um I would hope that this would change in the future I think right now it's probably being done for convenience sake but it would be nice to see some trust levels in the SSL communications uh and not just self-signed certs because this as we all know that's just asking for trouble uh when you try to do um anything over an intercepted network uh through these pinned apps that are that are built into the 3DS you end up with a message that's very obscure looking and looks like this uh the one on the left that says an error has occurred please try again later when you go and you look up that error code it it tells you that there's um there's a message in that error code that essentially is that the clock is set wrong so you need to check the time and then and then try to reconnect again and that actually comes up a lot when you when you're seeing certificate resigning is that the error is basically the same as if your clock was off and the timing for the cert uh was was wrong um but the but the game developers or the the device manufacturers don't anticipate or assume that people are doing man in the middle decryption on their stuff so they just basically have one error message for the whole that whole type of thing the one thing that does work though is when you do the connection test so so there is a um there's a whole Wi-Fi UI in the 3DS and you can connect to an access point and then it it wants to go off and make sure that it can make a valid connection if it cannot make an HTTP S connection which it tries first it then tries just an HTTP connection to us to a URL that's on Nintendo's website and when that works it basically comes back and says your connection is good but it doesn't tell you that you weren't able to connect over SSL so um yeah it's just in you know another weirdness in a consumer electronics device um another ish invalid issuer problem that I found was with um whisper systems so whisper systems makes the signal app um I'm a user of it and you know I I love mock mock mock mock see Marlin spike right I mean he's been to DEF CON a million times and spoken and he's a great guy and this is a great app um but once again it's it's using a self-generated cert uh to do that communication and um I just would prefer I I don't know how you feel about it I think it would be stronger if more of these companies uh used certs that had some validity that can be uh validated through a uh certificate authority um so here's the whisper systems cert right and it says Windows did not have enough uh information to verify the certificate and at the bottom of the second one it says the the issuer the certificate could not be found and that's basically the same error that the Nintendo one did and the Samsung one did so probably most likely it was a self signature if I if I had my laptop I get open the cert and take a look and see what it was signed with I don't have the screenshot up here um right oh so one of the other thing that uh came out of this is that um so the the there are these third party apps right so you know Netflix and Hulu and all those guys have their own apps they produce them for the Tizen operating system which is the thing that's running in the Samsung TV and then those apps can have their other like third party instrumentation in them so that those app developers can get feedback directly from the TV user uh when something's not working if streaming's not coming through right I mean I you can understand why you know Netflix wants to know what your throughput is and if it's uh if you're uh getting too many artifacts in the video and so there's all this internet um uh instrumentation built into uh the the apps themselves and in this case there was an invalid issuer for uh Netflix's app so there was a self signed cert for Netflix's app and then there was also something called internet at dot TV and that also was a self signed cert so that's whatever that is and I'm not 100% sure what it is because of course I wasn't able to inspect the content of the traffic uh other than to see the cert it was all invalid certs so um so that's problematic um now I was going to jump at this point over to my wireless network and show you the decrypted traffic from TrickBot with it now I will pause for a moment and see if there's any questions and ask if if uh is this your this your laptop right can yeah no can you would you mind coming up here and connecting me to my wireless and so questions yes no no TrickBot is a piece of malware that's created by someone we don't know who that person is and uh and TrickBot is we are decrypting the TrickBot command and control traffic using this technique so the the access point is it's this seven four three e a and uh here I'll introduce you to the process area yeah so did I really catch the the question was uh is the is TrickBot the tool that I'm using and no it is not yes well I wouldn't say that it actually so the question is why does it why is a so why is a self-signed cert less secure than a pin cert is that is that essentially well okay so um let me step back and just reiterate so I wouldn't say that it's more secure that one is not more secure than the other but I think having some certificate validity being issued by a valid CA where it can be checked um and that there's some trust there is better than having a self-signed cert that's not to say that the self signed certs are inherently insecure that there's some problem with them um but but this validity checking only happens when it's been done through a certificate authority I'm sorry hang on one second I want to make sure that I can get online it says it's not connected it's still it's still trying to connect to it it won't until it's connected it's not going to work uh yeah if you don't mind I'm sorry would you would you please repeat your question okay so the question is um so if if they're using a purchased cert instead of a uh a self signed cert um why should I trust the purchased cert more um I don't know it just I like to I like to be able to make sure that it's legit um it's too I think it's too easy to kind of clone an app and modify it and add your own self signed cert in there to kind of pretend to be the app and maybe put it on an app store um having that having that be a valid cert at least gives you the um confidence that when it's talking back to its command and control server that it's it's talking back to a command and control server that has at least um you know proposed to a valid signing authority that they are the real deal right so like if you're using your chase bank app I want to make sure that that cert is valid that it's talking to chase and that it's not just a fake chase bank app that's talking to some other guy does that make sense I mean it doesn't necessarily make it inherently more secure communications but it makes me feel better about using it yes that that is a valid point I will repeat that um so if the app is itself signed by the and the and the code is signed so that you know that the uh the app is is uh reputedly originating with the real developer um that obviates the need for checking the cert and and yeah that's actually a valid point and one that I hadn't considered I I don't so my my focus in this talk was just very very narrowly on the network side of things um and not looking at the the apps themselves um him and then you uh so do I know about Google's uh certificate transparency I I haven't heard the news about it so um I do I do know that um uh Google's certs and the and the way that they do SSL specifically within Chrome they're they're very on the cutting edge of um trying to defeat tools like SSL visibility so they're they were uh some of the earliest adopters of some of the uh really obscure and and hard to decrypt uh protocols that were being used and so um I would say that the when it comes to the team that's doing the development and management of the SSL visibility product 95 percent of their like feature request is oh Google Chrome just added a new like you know certificate you know or new encryption uh rule that they need to be able to decrypt and like suddenly it's not working anymore so like I think four times last year they came out with a new version of Chrome and all of a sudden everything broke in SSLV so then then a new version of SSLV firmware had to be uploaded and you know reinstalled and um and there's a lot of time that we spend trying to bust into Google stuff. Hi go ahead. Wow that's uh so it's not a stupid question but it's not a simple answer. I mean essentially what it's doing is um you you have a certificate handshake that comes in and is presented what essentially to the client. The SSLV looks for that handshake. It then it it then takes that certificate for the handshake it pretends that it's the client and does the handshake back to the server but then internally within the SSLV it's it's takes the decrypted traffic re-encrypts it with it's with that cert that it's generated and then sends that up to the client so it's doing this kind of like half to two halves of the whole. Yeah. The decrypted traffic is happening inside of the SSLV box itself so it's it's pretend basically the box pretends to be the client it presents itself as the client as being the client's like originating you know box basically and and so it does the handshaking and then instead of that you know normally that decrypted data would be then you know sent into the browser itself and rendered on the screen instead it shunts that out of a decrypted port on the box and then it will re-encrypt it with the certs that you've created and then send that up to the endpoint that actually made the request in the first place. Yes. Okay so it's a long question and I've got like less than five minutes and I think we're out of time for the demo so I'll just I'll answer this question and then I think we're gonna have to wrap it up. The question was if I if I got it correctly there are a lot of different certificate authority stores in different operating systems and even in say say like a windows you can have there's a certificate authority store for the operating system but if you have Java installed it has its own CA store if you have Firefox installed it has its own separate CA store if you have Thunderbird installed that's a third one if you're Chrome it has a fourth one and believe me I know this because I have to install those CA certs in every one of those stores and it's a giant P.I.T.A. so the question was is there any kind of industry moved to like centralize this and keep those certificate stores up to date and have one place where all that stuff is collected and I think the answer is hell no because they don't want they don't want it that way I think Chrome you know the Chrome developers and Google want their own store because they don't inherently trust the one on the operating system and the same is probably true for I can't speak for the people at Mozilla Foundation but like the reason why Thunderbird has its own store that's separate from the operating system is that they want to make sure that their CA store is accurate and and they're responsible for updating it when you download your updates right that's that store gets updated periodically with different certs or or you know sometimes they get deleted right it's like if you lose trust in woe sign you can go into those CA stores and delete the woe sign cert and then that kind of reduces the trust that you have in woe sign it would be nice for there to be one place where you can just do all that stuff and honestly like it's the biggest difficulty in my daily job of having to work with this stuff is having to put the certs and all those stores especially because I have six certs that I install in every machine so but no I don't think that that's going to be a problem that gets solved anytime soon I'm sorry I wish I wish I could end on a happier note I really want to show you guys the trick bot stuff but you know what I'll just pitch it as a talk for next year are there any other are there any other questions oh yeah go ahead so free and open source man in the middle stuff since yeah so um I know that some exist I've never used them I I know that we're not the only we're not the only commercial and we're not the only like free product that that does this right and that there are products out there that can do this and there's also uh you know I think uh semantics antivirus and Kaspersky's antivirus also can intercept SSL so that they can check the reputation on URLs that you visit when you're when you're using your computer um but I I'm sorry I don't have a good answer for like what's a good all free alternative for this if you find one though come and get my card and at the end of the talk and let me know what it is because I'd like to play with it and see what we can do with it uh it's called SSL visibility and if anybody wants to come it's running behind the screen here so if anyone wants to see it I'll have it out in the hallway afterwards all right yeah I think I think we're out of time so oh is it do we have time for one more okay yeah okay right okay so that's a really good the question is um this because this thing is so critical on a network um screwing it up could really mess up your network so how do what do we do to kind of mitigate that and and reduce the the attack surface of the device so um one of the things that we do wow one of the things that we do is um there there's a uh there's an administrative interface that can be uh connected to a completely different VLAN or a different different segment of the network um and and that basically can be in like a secured part of the network uh the security analytics box as well like it will tap the the active part of the network but it's not necessarily connected to that active part of the network and so when you when you have an administrative interface that's got a separate ethernet jack you can put it on something else that's like a much more secured and tight tightened down segment of the network it doesn't even have to be connected to the internet can just be used for administrative interface um so that that's basically how we do it um the the bump in the wire itself that the SSLV represents like there's there's nothing that that is uh and I shouldn't say this like definitively but I am 99 percent sure that there's nothing that can be interfaced with over that like through part of the network so alright I'm getting the hook so thanks everybody for coming I appreciate your patience