Microsoft Edge changes TLS server certificate verification - which impacts DPI-SSL
BWC
Cybersecurity Overlord ✭✭✭
Hi,
anyone who is using DPI-SSL and the Microsoft Edge Browser might be facing some issues in the near future.
MS decided to switch from trusting the Certificate Store in the OS to a built-in list in the Browser. IMHO a bold move but they might have their reasons. This will have a direct impact for trusting your DPI-SSL CA Certificate and you should make your self aware of this in time. Keep your eyes peeled for MS Edge 109 and have your tests finished before 111 which might break the DPI-SSL trust.
@SuroopMC does this need to be addressed by Capture Client? I can't tell if it's possible to push certs into that list like it was possible for Firefox.
--Michael@BWC
Category: Mid Range Firewalls
2
Comments
Thanks for pointing this out @BWC !
I think the key line here is:
In addition to trusting the built-in roots that ship with Microsoft Edge, the browser will also query the underlying platform for—and trust—locally installed roots that users and/or enterprises installed.
So locally trusted roots should, in theory, still work even after the change.
@TKWITS that's what I thought first as well, but this drove me somewhat over the cliff:
Microsoft recommends that enterprises that have break-and-inspect proxies or other scenarios involving TLS server certificates issued by roots not in the Microsoft CTL to proactively test with the policy enabled in Microsoft Edge 109 and report any compatibility issues to Microsoft.
In Microsoft Edge 111, we plan to remove support for the MicrosoftRootStoreEnabled policy.
Doesn't this mean that with Edge 111 and up it will not look into the OS Cert Store any longer?
--Michael@BWC
Unsurprisingly the wording is unclear. It's clear the MicrosoftRootStoreEnabled policy will be allowed temporarily, but not whether Edge will still look at the OS Cert Store post removal of said policy.
The line I pointed out preceded any text about the policy.
Who knows.
Still good information to have.
Tim, I've played around with it a bit with Edge 110, but no matter if I enable or disable this flag my system-wide DPI-SSL is accepted and now browser certificate warnings pop up. Honestly I couldn't figure out that Edge isn't using the System Cert Store.
Is it a nothing burger or am I just not looking at the right places?
--Michael@BWC
Not sure, havent had the time to investigate myself.
Hi,
is there anything new on the subject? I'm a bit worried about the info from MS regarding Edge 113.
Microsoft recommends that enterprises that have break-and-inspect proxies or other scenarios involving TLS server certificates issued by roots not in the Microsoft CTL to proactively identify and report any compatibility issues to Microsoft.
In Microsoft Edge 113, we plan to remove support for the MicrosoftRootStoreEnabled policy.
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-cert-verification
Are there any working alternative certificates?
So the options are :-
1) Use Chrome ?
2) Go Cloud ? (ughh).
3) Turn off DPI-SSL ?
4) ?
Directions please Mr SonicWALL.
@Halon5 great to see you around here again. Sadly SNWL missed the opportunity to clear things up. I would assume they have the right sources to gather detailed information from.
My educated guess for now is, that it might have no impact to DPI-SSL because of this paragraph:
Even after the change, in addition to trusting the built-in roots that ship with Microsoft Edge, the browser queries the underlying platform for—and trusts—locally installed roots that users and/or enterprises installed. As a result, scenarios where a user or enterprise installed additional trusted roots to the host operating system's root store should continue to work.
I did some tests (as mentioned above) with the flag enabled and disabled and it actually made no difference, DPI-SSL was working as usual.
Capture Client wise, IMHO there is nothing to do, as long as the OS certificate store is used as well.
I guess we can put a checkmark under this if not proven otherwise.
--Michael@BWC