Check Point has not cracked HTTPS or SSL. HTTPS is regarded secure and is not known to have been cracked.
For HTTPS traffic inspection, Security Gateways must examine the data as clear text. Encrypted data sent by a client to a web server is:
Intercepted by the Security Gateway and decrypted.
Inspected by the blades defined by the policy.
Encrypted again and sent to the designated web server.
The Security Gateway acts as an intermediary between the client computer and the secure web site. The Security Gateway behaves as the client with the server, and as the server with the client using certificates.
A dedicated CA signs certificates, and the Security Gateway presents these certificates to the client. Before the user installs that CA certificate, any site accessed by the browser will produce warnings.
When HTTPS Inspection is used, the browser sees server certificates, signed by the gateway, rather than by the original trusted CA. To get the EV indication in the browser, the server certificate must be signed by a specially-designated Certificate Authority. The list of those CA certificates is hard-coded into the browser, and cannot be modified by the user.
Yes. By default, the CRL check is done on the certificate. The check is done without holding the connection, so the first time a user accesses a specific site, it will pass without CRL validation, and the next connection will be validated. By default, if the CRL can't be reached, the certificate is considered to be trusted (this is also the default behavior of the common browsers).
If you wish to enforce CRL fetch, and to mark the certificate as untrusted, if the CRL can not be reached, you can use GuiDBedit Tool to change the value of attribute "drop_if_crl_cannot_be_reached" to "true" (Tables -> "Other" -> "SSL Inspection" table -> "general_confs_obj" Object).
To filter out sites from HTTPS Inspection, a mapping between the site IP to its correlating domain is needed. The mapping is created based on the certificate DN served by the site. This requires us to perform HTTPS Inspection on any accessed SSL site, at least once. After this mapping is in place, no further inspection will occur (according to the rulebase). -- This is the underlying reason for the "refresh" success. Note: This behavior is only relevant if there is no proxy between the gateway and the Internet. If there is a proxy, we don't perform full inspection.
It is possible to use the GUI to remove the victim CA from the list of trusted roots. But this is not recommended, as it would damage connections to other customers of that CA.
Another option is to add the specific certificate serial number to the Black List on the SmartDashboard. This approach has been successfully used by all browser vendors in March 2011, when Comodo was conned into issuing multiple certificates for popular web sites.
Check Point will publish regular updates to the list of CAs, and in the future also to the black-list of known stolen certificates.
HTTPS Inspection is a feature that should be supported on most platforms/appliances starting from R75.20 except 600 and 1100 appliances.
Starting from R77.20-based firmware, for all small office appliances (1100/1200R and now 1400 series) full HTTPS inspection is supported.
On locally managed small office appliances (600/1100/1200R and now the new 700/1400 series), we currently only allow URLF over HTTPS and not a full SSL inspection feature. (Note: URLF over HTTPS is the locally managed parallel of "Categorize HTTPS sites".)