14 DAY TRIAL // Although it claimed that customers were not at risk because of the vulnerability reported by members of the Tor Project, Cyberoam rushed to release a hotfix that would forcefully generate unique CA certificates for each deep packet inspection (DPI) device.
Initially, the network security company stated that the private keys could not be obtained because they didn’t allow for them to be imported or exported. However, an anonymous user posted a decrypted private key in the comment section of the TOR blog, demonstrating that it could be done.
The update has been released over the air and if it’s applied correctly, appliance users should see an alert that informs them of the modification. As a result, the customers of the affected devices should be safe even if the private key is exposed.
Users who haven’t received the update are advised by Cyberoam to change the default CA by using the CLI command.
“All customers who have a unique key will thus be safe as the unique key is appliance specific, with no copy of it anywhere, not even with Cyberoam. Once, the customer generates his own unique CA certificate, the UTM appliance stops using the default CA certificate for SSL traffic inspection,” the firm’s representatives wrote.
On the other hand, they highlight the fact that they’ve been “singled out” in this situation, even though numerous other companies expose their users in the same manner with HTTPS Deep Scan Inspections.
“As a company, we are taking this as a positive pointer. These immediate changes are immediately putting our appliances at a better security level than the rest of the industry that uses the same methodology where a default CA is shipped with each appliance that puts them at the same risk when providing HTTPS deep scan,” they concluded.