Why does mutual TLS authentication prevent TLS interception?įirewalls performing TLS interception break TLS connections in half: clients connecting through such a firewall are actually establishing TLS connections with the firewall, validating the firewall’s certificate (usually issued by an enterprise CA under the control of the organization operating the firewall), and the firewall establishes its own connections to the server. Note: The end-to-end encrypted security model of Tresorit does not assume that TLS is secure - your data that is transmitted in the encrypted tunnel is already encrypted with keys only you and the people you have chosen to share your data with have access to. These lists are already signed by the certificate authority, and fetching them over HTTP is actually considered to be standards-compliant behavior - for more information on the rationale behind this, read the “Security Considerations” section of RFC 5280. There is one notable exception: certificate revocation lists (CRLs) are fetched over HTTP. Frequently asked questions Why are you using HTTP? Isn’t that insecure?Īlmost all communication between our clients and servers use HTTPS, and are thus secured by TLS. Contact your identity provider for more information. If you have configured Tresorit to use single sign-on, you will also need to ensure that outgoing connections to your identity provider are allowed. You can rely on HTTPS connections established by Tresorit clients to use server name indication. If you are able to, we recommend that you set up hostname based filtering (or a combination of IP and hostname based filtering). It is assembled by filtering the IP ranges published by Microsoft for specific products and regions, so these will include IP addresses that belong to other tenants of Microsoft’s public cloud. Many of the hostnames in the list point to services that have no fixed IP address, so the list of IP ranges is quite large. Tresorit’s servers are hosted in Microsoft Azure. HTTP (80) - used to fetch Certificate Revocation Lists (CRLs) HTTPS (443) - used for all communication between the application and our servers Our applications connect to these servers via the following TCP ports: The second column includes a list of tags that indicate which parts of our service requires that particular hostname or IP range to be allowed. Their URL is stable and may be used by scripts to update firewall settings automatically. These lists are published as UTF-8 encoded CSV files. □ Note: The lists published here are subject to change without notice. To help you configure firewall appliances on enterprise networks (and even some firewall software), we publish the list of IP ranges and hostnames you need to add to your allowlist in order to let Tresorit connect to our servers: If everything seems to be set up correctly, but the issues persist, we are here to help. If for some reason you cannot disable TLS interception, you can still use our web client, provided that such software does not modify the actual requests and responses. Our desktop and mobile clients use mutual TLS authentication when communicating with our servers, so even if such certificates were to be taken into account, interception would not be possible. We maintain our own list of trusted certificate authorities, and as such, enterprise certificate authorities imported into the system’s certificate store required for such security software to work have no effect. Tresorit is not compatible with firewalls and security software that perform TLS interception. A detailed list of IP ranges and hosts to add to your allowlist are available in the next section, but for most consumer grade firewall software, simply allowing the application to establish outgoing connections is enough.ĭisable TLS interception and similar features Make sure outgoing connections are permittedĬheck if Tresorit works when firewall, intrusion detection and anti-virus software are disabled - if so, you will likely have to configure them to allow Tresorit to connect to remote servers.
0 Comments
Leave a Reply. |