Try our new Certificate Revocation List Check Tool
CRLcheck.exe is a tool developed to verify digital signatures of executable files. It collects files from known paths on your client, checks their signature, and checks Certificate Revocation Lists (CRL) and OCSP download. This helps avoid delays in launching files.
Category published:  FW Fortigate FW Sophos Hotfixes, Updates SECURITY W10   Click on the Category button to get more articles regarding that product.

Browser TLS 1.3 activated and your Firewall can’t handle it?

Posted by admin on 02.09.2020

TLS 1.3

https://tools.ietf.org/html/rfc8446

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it’s all safer and faster?

https://blogs.windows.com/windows-insider/2020/07/15/announcing-windows-10-insider-preview-build-20170/

The problem is that some Next Generation Web Filter (Firewall) can’t look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you’re Firewall can’t handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy

CHROME:

chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)

MICROSOFT EDGE CHROMIUM:

edge://flags/

As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what’s supported:

https://browserleaks.com/ssl

 

https://news.sophos.com/en-us/2020/08/18/report-firewall-best-practices-to-block-ransomware/

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you

https://www.f5.com/c/landing/encrypted-threats/article/tls-1-3-are-you-ready-for-the-update

https://community.checkpoint.com/t5/General-Topics/CheckPoint-TLS-1-3-support-When/td-p/63672

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/understanding_traffic_decryption.html

https://www.sonicwall.com/support/knowledge-base/ssl-tls-protocols-supported-by-sonicos-matrix/170615123553371/

 

 

Read more:

https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

https://www.imperial.ac.uk/media/imperial-college/faculty-of-engineering/computing/public/1819-pg-projects/Detecting-Malware-in-TLS-Traf%EF%AC%81c.pdf

https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/

https://www.heise.de/security/meldung/Verschluesselung-TLS-1-3-Fauxpas-gefaehrdet-Embedded-Systeme-mit-wolfSSL-4883741.html

https://www.heise.de/hintergrund/Was-TLS-1-3-ist-und-wie-Sie-davon-profitieren-4248740.html

https://www.sans.org/reading-room/whitepapers/vpns/paper/39715

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/

 

 

 


 Category published:  FW Fortigate FW Sophos Hotfixes, Updates SECURITY W10   Click on the Category button to get more articles regarding that product.

Related Post

SMB over QUIC a OneDrive, Sharepoint replacement, SRV 2025?

Crowdstrike Falcon Sensor, Azure VM Repair paths

Crowdstrike Falcon, BSOD, VMWARE Server Recovery DEU

Template theme: Newsup by Themeansar (External Link, you will leave www.butsch.ch).