Check Point has not cracked HTTPS or SSL. HTTPS is regarded secure and is not known to have been cracked.
For HTTPS traffic inspection, Security Gateways must examine the data as clear text. Encrypted data sent by a client to a web server is:
Intercepted by the Security Gateway and decrypted.
Inspected by the blades set in the policy.
Encrypted again and sent to the designated web server.
The Security Gateway acts as an intermediary between the client computer and the secure web site. The Security Gateway behaves as the client with the server and as the server with the client using certificates.
A dedicated CA signs certificates, and the Security Gateway presents these certificates to the client. Before the user installs that CA certificate, any site accessed by the browser will produce warnings.
When HTTPS Inspection is used, the browser sees server certificates, signed by the gateway, rather than by the original trusted CA. To get the EV indication in the browser, the server certificate must be signed by a specially-designated Certificate Authority. The list of those CA certificates is hard-coded into the browser, and cannot be modified by the user.
Yes. By default, the CRL check is done on the certificate. The check is done without holding the connection, so the first time a user accesses a specific site, it will pass without CRL validation, and the next connection will be validated. By default, if the CRL can't be reached, the certificate is considered to be trusted (this is also the default behavior of the common browsers).
If you wish to enforce CRL fetch, and to mark the certificate as untrusted, if the CRL can't be reached, you can use GuiDBedit Tool to change the value of attribute "drop_if_crl_cannot_be_reached" to "true" ("Other" -> "SSL Inspection" table -> "general_confs_obj" Object).
To filter out sites from HTTPS inspection, a mapping between the site IP to its correlating domain is needed. The mapping is created based on the certificate DN served by the site. This requires us to perform HTTPS inspection on any accessed SSL site, at least once. After this mapping is in place, no further inspection will occur (according to the rulebase). -- This is the underlying reason for the "refresh" success. Note: This behavior is only relevant if there is no proxy between the gateway and the Internet. If there is a proxy, we don't perform full inspection.
It is possible to use the GUI to remove the victim CA from the list of trusted roots. But this is not recommended, as it would damage connections to other customers of that CA.
Another option is to add the specific certificate serial number to the Black List on the SmartDashboard. This approach has been successfully used by all browser vendors in March 2011, when Comodo was conned into issuing multiple certificates for popular web sites.
Check Point will publish regular updates to the list of CAs, and in the future also to the black-list of known stolen certificates.