McAfee offers several "subscribed" lists for MWG including things like Known/Trusted Certificate Authorities, Citrix IP Ranges, WebEx IP Ranges, Streaming Media Types, Windows Update and Activation Hosts. This mechanism seems like it would be super convenient, however I've been wondering about the "freshness" of these lists.
For example, Microsoft released a security bulletin on Jan 3, 2013 about TURKTRUST creating a couple of sub CAs which were then used to issue fradulent certs. (http://technet.microsoft.com/en-us/security/advisory/2798897)
The MWG subscribed CAs list currently contains a TURKTRUST CA:
40 (c) 2005 TÜRKTRUST Bilgi Iletisim ve Bilisim Güvenligi Hizmetleri A.S. - TÜRKTRUST Elektronik Sertifika Hizmet Saglayicisi http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL.crl TRUE
Since the subscribed certificate list doesn't appear to have a way to verify specific details about any individual certificate, those who use the subscribed list are reliant on McAfee's due diligence with regard to certificate trustworthiness.
Does McAfee have a process for ensuring that the data in each of the subscribed lists is valid? If so, how often is that data verified/updated?
|40||(c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı||http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL.crl||TRUE|
I'm sure Andre (asabban) will have some comments regarding this on Monday. He's apart of the team that manages these lists.
you are right about the subscribed list for the certificate authorities. In the past this list was static and only from time to time it was updated, leaving the general administration and maintenance of this list in the customers hands. Because we received a lot of feedback that people do no longer want to take care about the list we have decided to offer the subscribed list. You have options to
- maintain the list on your own
- take a snapshot of the McAfee maintained list and then maintain it on your own
- take the McAfee maintained list and add exceptions
- Only use the McAfee maintained list
Generally the expectation when using MWG is that the "browsing experience" is similar to what would happen when using a browser without MWG in the line. So basically we have collected all trusted CAs from common browsers and created our own list. Once this list was completed it was checked for duplicates, expired certificates, etc. This was the initial list we started with, which should give a browsing experience similar to your web browser, so no longer "It works in IE but not in IE when using MWG".
We have wrapped some processes around this list such as scanning for missing CRL/OCSP URLs, scanning for expired certificates, etc. Adding new CAs or removing CAs which are no longer trustworthy is generally a manual process, which means that we collect Feedback from customers who report websites they can't access because the CA is missing and following common news about potential problems with CAs which are then manually reviewed and most likely removed. In these cases we basically follow the browser vendors, because this is basically what we are compared with when the behaviour is different and usually the browser does things more correctly than MWG (at least this is the expectation :-)).
We do not have any specific SLAs or response times when unknown or fraudulent CAs are reported. Usually we immediatly start investigating the problem and then decide what we can do from within the maintained list. Usually (as mentioned earlier) we follow the decisions of the browser vendors. In the meantime besides the certificate checks MWG of course has the advantage of offering additional security by trusted source and gateway anti-malware, which you don't have when only using a browser (in this case the CA verification is the one and only protection).
I have taken a look into the TürkTrust articles today and the good news here is that (compared to earlier certificate incidents) that there is only one CA which has been incorrectly given out as a subordinate certificate, so the number of potentially fraudulent certificates is limited to those signed by this CA, since the certificate authority has not been compomised. This is also the reason why I still hesitate to completely drop TürkTrust from the CA list, as this would deny all accesses to websites using certificates signed by TürkTrust. The fraudulent certificate has not been spread to the internet and has not been seen on any malicious host (yet), so removing the top level Root CA would cause trouble for a lot of people, while keeping it should only be a small risk, especially because MWG has more features that will protect you.
The problem is that the maintained list does not offer a dedicated blacklist. So I can list CAs that I know as trusted or not list them, but I cannot mark a CA as untrusted. I am currently working with engineering on a good idea to have this solved, maybe by providing a dedicated blacklist.
If required you should be able to manually untrust the subordinate CA in question,for the meantime I think it is a better idea to now remove TürkTrust completely from the maintained list. I will follow up on the issue and update the thread in case we decide to remove the top level CA.
I hope this makes some sense. As usual I am happy to provide more information if required.
As an addition to my above statement:
In case you explicitily want to block the mentiones subordinate CA you can do the following:
Parallel to the "Maintained List" of CAs you can configure a local list which has priority:
You can use this list to add exceptions, such as black listed subordinate CAs. You can add the above mentioned certificate to this list and mark it as untrusted:
I will add the list so you can simply import it to your MWG. By doing so you will no longer be able to access a web site that uses a certificate signed by the subordinate CA listed in the additional list of CAs.
Nachricht geändert durch asabban on 07.01.13 15:42:52 MEZ
I already had a locally defined list (to handle certificate authorities that weren't in the subscribed list) so I imported *.EGO.GOV.TW's entry to that list from your supplied Blacklisted CAs list.
For those who need to block the intermediate CA (*.EGO.GOV.TW) on 6.x, here are steps to do it.
The CA is attached at the bottom of this post. Make sure to unzip it somewhere where you can find it for import
Import the CA under Configuration >> Certificate Management >> Known Certificate Authorities:
Then add it to your List of "Global Trusted Certificate Authorities" (Don't be confused by the word "trusted" here, we will make the intermediate untrusted in a second) under SSL Scanner >> Global Trusted Certificate Authorities:
And lastly, make sure this CA is marked as untrusted. This way all certificates issued by the CA will be blocked (filtering for the word "ego" should find it in large lists):
on 1/8/13 9:08:02 AM CST