Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6

User concerns around SSL Interception


Hoping some of the McAfee staff could lay out the truth behind SSL interception?  As I'm introducting this product there's quite a bit of hesitation around letting it become a subordinate CA to our AD Enterprise CA, as well as the actual decrypting and encrypting of HTTP traffic.

From past experience with other proxies it was not possible to see the unecrypted SSL with a sniff or log reader because that all happens either at the NIC level (after decryption and then re-encryption happens or the logs don't show deep enough into layer 7.  Therotecially could someone get at the unencrypted info, say through a memory dump?

Basically am I right in telling the users that their SSL is safe from an abusive admin?  And on top of that does McAfee recommend disabling SSL for categories like banking and webmail?


5 Replies
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 2 of 6

Re: User concerns around SSL Interception

Coincidently enough, I had this same conversation with a large bank today. Some of the topics discussed included these, and some of this is my editorialization, of course.

By default with MWG, decrypted traffic is never put back on the wire. Decrypted content is not stored on the disks. Logs can optionally be encrypted on-box, so even the IP, Usernames and URLs are never written in the clear. It makes reporting a pain, but possible.

As a general rule most users will bypass decryption on Banking/Finance, Health, Stocks and a handful of whitelisted sites. But I don't recommend bypassing decryption on webmail. It is a primary vector of infection/leakage.

Typically, there should be an acceptable use policy that spells out the terms of using your network. Create the understanding that you can be watched. Big warning pages when you go to an SSL site with an 'Agree' button to consent to monitoring can be used. I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer. They let the users go to Social Networking sites, but they have informed consent. Is there really privacy on the internet? If there is something you don't want discovered, don't do it. I told my kids when they were 10 & 12 not to expect anything you do on the internet to be considered private, because somewhere, somehow it can be seen by someone. Then I showed them Ethereal (at the time) traces of their AIM messages with their friends to prove it. It's 10+ years later and they still remember that lesson.

The problem of an abusive admin is a carbon-based problem, not a silicon-based one. Separation of functional duties, configuration auditing and strict change control policies help reduce the potential of abuse. Most organizations have these mitigating controls in place to watch the watchers.

It's clearly up to your policy if you want to do it or not. Weigh the risk and benefits. And trust but verify what the admins are doing.

...Just my humble opinion.

Message was edited by: Erik Elsasser on 9/23/10 9:59:05 PM CDT
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 6

Re: User concerns around SSL Interception

Hi Erik,

regarding your statement:

"I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer."

Could You please give me a hint on how to accomplish such task, I would really appreciate.



McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 4 of 6

Re: User concerns around SSL Interception

First create your own image to insert at the top of the page. A JPG, GIF or PNG should suffice. Upload it to the img/ directory where the block pages are. In this example, my image name is monitor.jpg.

Then you have rules that open the HTML tags and insert the <img> tag right after the <body> tag.

You should probably restrict this rule set to only a few categories that you want to warn against, not everything you are proxying. If you want to warn on everything, you should just have a welcome page display once at the beginning of the day instead.

Rule Sets
Monitoring In Progress
Applies to Requests: False / Responses: True / Embedded Objects: True
1: MediaType.EnsuredTypes contains text/html
EnabledEnable HTML Opener
ContinueEnable HTML Opener<HTML Filtering>
EnabledSet the Redirect Image
ContinueSet User-Defined.redirectImage =
     "<img src="" +
     "http" +
     "://" +
     IP.ToString(Proxy.IP) +
     ":" +
     Number.ToString(Proxy.Port) +
     "/files/default/img/monitor.png" +
EnabledRemove Header for "Content-Length"
ContinueHeader.RemoveAll("Content-Length")The HTML rules will modify the content length. So we delete this header so that user agents will not complain about getting not that much data as promised.
EnabledFind End of Start Tag
1: HTMLElement.Name equals "body"
ContinueSet User-Defined.endOfStartTag =
     Body.PositionOfPattern(">",0,2000) +
EnabledInject Image right after <body>
1: HTMLElement.Name matches *body*

User Defined Properties
NameTypeInitial Value

Enable HTML Opener Engines
HTML Filtering
Enable HTML OpenerValue
List of elements that should be opened
NodeNameInlineList (inlineList)
Node Name Start Tags Only
Only open elements that refer to external sources
OnlyOpenExternalLinks (Boolean)

Here is some of the output I tested:





Message was edited by: Erik Elsasser on 12/28/10 10:22:54 AM CST
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: User concerns around SSL Interception

Thank You very much for the hint, it was very useful.

I really appreciate .


Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: User concerns around SSL Interception


is there also a coaching page possible before a SSL Tunnel is decrypted by MWG?

Best Regards,


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community