Jump to content

ESET and revoked certificates

jimwillsher

By jimwillsher
in ESET Endpoint Products

 Share

Recommended Posts

jimwillsher

jimwillsher 65

Posted
Posted

Hi

Can someone clarify how the ESET "man in the middle" certificate operates, with regards to revoked certificates?

We access a website where we *know* the certificate was revoked on 15th. if I access from a PC on our network, protected by ESET, access is allowed (it shouldn't be):
image.png.82cc76c34c3543afd5eb3259c2749f21.png

 

 

If I access the site from another computer, not protected by ESET, the site is correctly rejected by Chrome:

image.png.1e2d862fd8e63e5894ac6a1697da1d5c.png

 

 

This doesn't seem right to me.

 

 

Jim


 

Link to comment
Share on other sites
jimwillsher

jimwillsher 65

Posted
  • Author
Posted

It's this one:

saglobal-sandbox1ceacc237d6aa5aedevaos.cloudax.dynamics.com/

However we have already refreshed the certificates. Let me see if we have another site in the same situation.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

Here's the deal as far as FireFox goes; I don't use Chrome.

When I enter this URL, https://saglobal-sandbox1ceacc237d6aa5aedevaos.cloudax.dynamics.com/ , I am redirected to this URL, https://login.microsoftonline.com/saglobal.com/wsfed?wa=wsignin1.0&wtrealm=spn%3a00000015-0000-0000-c000-000000000000&wctx=rm%3d0%26id%3dpassive%26ru%3d%2f&wct=2021-02-17T14%3a35%3a06Z&wreply=https%3a%2f%2fsaglobal-sandbox1ceacc237d6aa5aedevaos.cloudax.dynamics.com%2f , which results in the below web page being displayed. The sign on display format is the same as the one given when signing on using one's Microsoft account.

In any case, Eset SSL/TLS protocol scanning has whitelisted this URL and is not scanning it. Why? Because its a Microsoft logon certificate. This also means no certificate validations are being performed by Eset.

Eset_Global.thumb.png.b4d3394eb72c227693b32bcef33ec9bd.png

-EDIT- Note that Chrome by default uses a CRL for revoked certificate checking. Eset and also FireFox use OCSP. My best guess to what happened here is Chrome's CRL got updated but OCSP servers did not for some reason.

   

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
1 hour ago, jimwillsher said:

Strange, we have another server (https://sagfunc5abbde991b39cdc0aos.cloudax.dynamics.com/) which eset is correctly flagging.  but it definitely didn't flag the original one I reported, and it had the same cert expiry date.

I also don't know why Eset flags this cert. since it validates fine:

Eset_Cert.png.d322b97c4ebe511a1d67cf07409eefb8.png

No, this cert. shows revoked via OCSP server status. QUALS SSL status report here: https://www.ssllabs.com/ssltest/analyze.html?d=sagfunc5abbde991b39cdc0aos.cloudax.dynamics.com

 

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)

This article might be of interest on how different browsers perform certificate validations: https://www.ssl.com/article/how-do-browsers-handle-revoked-ssl-tls-certificates/ .

I also don't know if there is a resolution to this inconsistency in certificate verification. Google pretty much locks down access to Chrome internals. FireFox uses both CRL and OCSP by default unless OCSP has been manually disabled. The self-test SSL.com performed shows that FireFox with OCSP enabled is superior to Chrome in certificate checking ; at least on Window OSes.

Edited by itman
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...