Showing results for 
Search instead for 
Did you mean: 
Level 12

Certificate Issues, Coaching and PD Storage

Does anyone have any sample rule sets and/or know if the following is possible?

- User hits a new site that presents a certificate with an error (self-signed, expired, untrusted/unknown CA)

- User is presented with a coaching page that explains what's wrong with the certificate and is given the option to continue

- Certificate hash is stored in PD Storage User for X period of time

- If user returns to a page that presents the same certificate within the permitted period of time, they are not re-prompted

- If user goes to another page that has the same certificate issue (another self-signed certificate, for example), they are re-prompted as to whether they want to continue and that certificate hash is also stored

What I'm trying to do is return the decision of whether or not to proceed to the client.

I know that I can do coaching for specific certificate issues, but if I set a coaching period of time for a specific certificate issue, that will mean that any sites that exhibit the same issue will be permitted during the coaching activation period.

It seems to me that there ought to be a way to store info about specific certificates that have been "okayed" by the client and use that information to determine if the certificate has been previously "okayed" or if a new Continue page should be presented.

Message was edited by: btlyric on 12/9/12 10:33:28 PM CST
0 Kudos
2 Replies
McAfee Employee

Re: Certificate Issues, Coaching and PD Storage

Yo btlyric,

I think this sounds possible, although I'm not sure of the performance issues that could be incurred as a result of PDstorage (it strongly depending on how it is evaluated could be intensive in the IO department).

If you were to implement this you would probably maintain two PDstorage containers (to keep PDstorage usage to a minimum), one to indicate that the user has information in data-storage (this would reduce a lot of IO potentially) and another with the actual data-storage.

The data-storage would contain information about the sites that the user has acknowledged for overriding (such as the certificate serial #). Then when certificate verification takes place you would have a rule to A) check if the user has data in the storage, and B) check what information is in storage, then allow based on the certificate serial number.

Unfortunatley I'm a bit time crunched to mock this up.



0 Kudos
Level 12

Re: Certificate Issues, Coaching and PD Storage

Understand the time crunch. Will see what I can do with your idea.

If I'm interpreting correctly, one PDStorage instance would contain user id and site name and the second would contain user id and cert sha hash.

So user would go to a site and would get a coaching page. MWG would store two different bits of data -- one into PDStorage "Sites" and one into PDStorage "Cert Hashes" (or something like that). Then, when they went to a new site that had the same issue, MWG would first check to see if there was an entry for that site in PD Storage "Sites" and if there was an entry would compare against SHA1 hash in PD Storage "Cert Hashes"...

Or something like that?

0 Kudos