CVE Best Practices

Certificate verification is essential to HTTPS security. If mismanaged, HTTPS security and the security of your network can be compromised and significantly weakened.

Certificate verification is an investment.

• Certificate checks fail in expected and intended ways when browsing to sites with CAs not known to Content Gateway. That’s security. Regular, proactive user education helps users recognize and assess legitimate failures. See Frequently Asked Questions for a summary of information for users.
• Certificate checks may also fail in unexpected ways that also require user education, as well as administrative effort in the form of investigation and remediation.

When using SSL certificate verification, therefore, you need to know:

• Your organization’s certificate verification requirements as they pertain to your IT security policy.
• Your organization’s ability and willingness to manage the administrative burden. When verification fails and there is no remediation in place, the connection request is dropped and users often call HelpDesk. Some failures will require administrator investigation and remediation.

To administer certificate verification, you need to:

• Know which failures legitimately protect your network
• Know how to investigate failures
• Determine which failures are undesirable and can be remediated (certificate replacement, verification bypass, other)
• Educate users about SSL connection failures, what they look like, and why they occur
• Anticipate more HelpDesk calls
  Important:

  You should not use Content Gateway to proxy internal traffic.

  However, if you do, before enabling the CVE, audit your internal HTTPS servers to ensure that their certificates are valid and trusted by Content Gateway.

If you plan to use the CVE, be sure to acquaint yourself with these topics:

• Troubleshooting Certificate Verification Failures
• Certificate Verification Failures and Remediation Options