How do I Stop the MITM Attack Warning When My Users are Using BYOD?

Article #:

Product:

Version:

#

Guardian

Framlingham onwards

Summary:

I need to stop BYOD users thinking they are under a MITM attack when I enable HTTPS inspection.

If HTTPS inspection is enabled on the Smoothwall, users using Bring Your Own Device (BYOD) clients may see a warning in their browser that they are under a Man-In-The-Middle (MITM) attack.

Problem:

In order for the Smoothwall to intercept and inspect the content of HTTPS traffic, a certificate is required (for why, read our MITM explanation). Since the Smoothwall is intercepting traffic, it cannot use the site's real certificate — one must be created. This is done using a Certificate Authority (CA) that can be created on the Smoothwall or imported, for example, from Active Directory. In order for the client devices to trust the certificates produced using the CA, the CA must be installed on the client devices (imported CA certificates should be automatically pushed to the devices by the directory service).

In the case of BYOD clients, the device is not centrally managed, and so the owner of the device must install the certificate themselves. Without it they will see security warnings when being proxied through a Smoothwall that has Decrypt and Inspect policies enabled.

The Smoothwall contains a page which offers the CA for download along with instructions for how to install it on the most common browsers, including those on mobile devices. It is recommended you create a redirect to this page.

Solution:

For security reasons, it's not possible for the Smoothwall to detect whether the client has the CA. As a result, the Smoothwall is unable to automatically detect whether the BYOD device needs the CA, nor redirect them to this page. However, most BYOD devices connect via wireless, often encountering a splash screen as the first page when opening a browser, either for logging on or for accepting T&Cs. It is recommended you add a link to the HTTPS Interception page to the splash screen if used. Alternatively, you should advertise the link out by other means.

The URL to use for the redirect is:

http://<IPAddress_or_Hostname>/getmitm/

where IPAddress_or_Hostname is the IP address or hostname of the intercepting Smoothwall appliance.

This is the HTTPS Interception page located on the Smoothwall:

Attribution:

Last updated:

Author:

Contributions by:

5th July 2016

Dan Mckean-Tinker

Samantha Nair

 

Copyright © 2000-2016 Smoothwall All rights reserved.