Carbon Black Cloud: Does Disabling the CRL Check on Sensors Open Communications to Man in the Middle Attacks?

search cancel

Carbon Black Cloud: Does Disabling the CRL Check on Sensors Open Communications to Man in the Middle Attacks?

book

Article ID: 288890

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Does disabling the Certificate Revocation List (CRL) check at the time of Sensor install result in the Sensor becoming open to man-in-the-middle attacks?

Environment

Carbon Black Cloud Sensor: All Supported Versions
Microsoft Windows: All supported versions

Resolution

Disabling the CRL check does not immediately open the Sensor to man in the middle attacks

Disabling of the CRL check could be leveraged for a man in the middle attack if a Sensor/Backend communication certificate is revoked
Additional information can be found about What are some concerns with disabling the CRL check within the Sensor?

Additional Information

CRL checks often fail when proxies are involved because the CRL check process is offloaded to WinHTTP

Feedback

thumb_up Yes

thumb_down No