How Can End Users View Actual Website Certificate Path and Information

edited September 2021 in Firebox - Certificates

When an enduser that has a Fireware certificate installed in their Trusted Root Certification and they try to view a website cert for the website they are on, and that site is being inspected by a Firebox Https Proxy, they only see the Fireware cert in the path of the certificate in the browser (MS Edge). How would an enduser go about verifying the actual site cert information, Issued by, issued to and so on so that they can make an informed trust decision about the website? Thanks

Comments

  • You can use sites such as https://www.ssllabs.com/ to look at the cert for the web site.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The firewall actually checks this using the trusted root certs it has installed. If the cert is invalid, the proxy will throw an invalid cert with "WatchGuard HTTPS certificate invalid" in the subject of the cert.

    -James Carson
    WatchGuard Customer Support

  • Thanks guys, using the ssllabs site and considering James's post helped a lot. I then found a very interesting blog post by Will Dormann, The Risks of SSL Inspection. He mentions that some inspection implementations can reduce or completely prevent clients from successfully validating the identity of the servers that they are communicating with. I am concerned that a user may get a valid certificate but for a fake site and won't be able to see the certificate information they normally would if they didn't use the proxy certificate.

  • You actually have users who look at the cert info????
    Wow!!!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @user808
    If you'd like to inspect the certificates the firewall is using for this purpose, you can go to:
    -In Firebox System Manager, View -> Certificates. In the Show drop down, chose "Trusted CA for Proxies Certificates."
    -In WebUI, go to System -> Certificates. In the drop down menu, choose "Trusted CA for Proxy Certificates."

    The option to allow automatic updates from our servers is right there in the WebUI, or in Policy Manager is under Setup -> Certificates.

    Under normal operations with content inspection on, normal web traffic will be properly signed by the firewall's proxy authority certificate. Sites with invalid certs will automatically have an invalid cert generated (with the message in the subject) so that the user gets the same certificate warning they would without content inspection enabled.

    Windows manages certificate revocation via Windows Update, which many users will defer. Some browsers such as Firefox will maintain their own certificate repository and update it themselves.

    Barring extreme circumstances (like a compromised computer, or similar issue) users would have the same invalid certificate warning with inspection on as they'd have with it off.

    -James Carson
    WatchGuard Customer Support

  • Thank you very much

  • Some sites show the cert as valid, but show Issued By as the WatchGuard. Facebook is one of those sites.

    Gregg Hill

Sign In to comment.