We use SSL scanning with MWG 7.0.2, including the standard rule "Block unknown certificate authorities".
We get a lot of blocks because of "Unknown CA", even for well-known webservers in the internet.
Reason is, that list "Default Known certificate authorities" in MWG 7.0.2 contains only about 100 entries.
IE7, with security updates has a list with more then 300 entries, firefox 3.6 has more then 200 entries.
So, I think in MWG root CA list there are missing well-known root CAs.
We added about 40 additional entries manually (by comparing with list of IE and Firefox).
Now number of blocks is smaller, but still not zero.
But manual maintenance of this list by end user is a bad way because lack of knowledge which CA is trustable and which is not.
I think other user using SSL scanning should have similar problems?
What does McAfee think about process of maintenance of this list?
I also noticed this issue when evaluating the latest MWG v7 appliance as well. I went to www.me.com (Apple) and the root cert is a Versign one so is OK, but its content comes from one of 4 servers signed with certs from Comodo that aren't in the Default Known Certificate Authorities list. My UK ISP, eclipse.net.uk uses QuoVadis certs. Again they are not in the list.
I read in one of the MWG 7.1 pdf guides that the Default Known Certificate Authorities list is populated with entries based on a list maintained by the Open SSL group.
Choosing a list with little over 100 root certs can't be a good choice by any stretch of the imagination. It also appears, based on what little docuementation is available on this in the Product Guide, that the only way to update the list is through manual intervention.
So in my opinion this part of the McAfee Web Gateway is ripe for automation & maintenance through the update process. A product enhancement possibly!!!???
In my own org I can see my supplier charging on a per incident base to add new root cert authorities, etc to the list of knows. That is expensive when I've paid for the MWG product to do the same, or so I thought.
I think this lack of functionality will stop me upgrading to V7 soon because of the potential business impacts on my users as sites they use frequently are rejected by the SSL Scanner.
I'm very interested to know what McAfee propose to do about this?
this problem has been present for a long time and I am one of the guys working on it. We have established an internal "Root CA Store", which is maintained actively and monitored. We also export this into a list, that MWG can read.
In one of the next builds you will be able to actively subscribe to this list, which means you get a recent list of Root CAs and active maintenance, which means
- add new Root CAs
- remove expired Root CAs
- remove compromised Root CAs
- maintain CRL URIs
Once this is available in the product you can relax and let us do this work for you :-)
The only thing we currently need is some more time for testing, but the feature is as-good-as done.
is it possible to get some notice when this feature will be "RTM" ? I am also one of the candidate that would desperatelly need a bigger / extened list of CA Root Authorities...
I am looking forward to provide our customers with the updated and updatable list. It has been a pain in the past. We are still in a process of testing but I think we may be able to provide a recent list, maybe without the automatic update feature, but that will be attached to the list later on.
I will let the community know once there are any news :-)
unfortunately not yet. We are pretty much done with building the content - now waiting for a build that is able to deal with the content. This will take some more time, unfortunately :-(