Web Control only works with HTTP

Question

Hi All, 
 Like everyone else no doubt we are trying to ramp up security for all of our home workers by extensively blocking all of the dangerous file types and non work categories using Web Control for Sophos EndPoint. However from testing it appears that web control only blocks port 80 - so anything via HTTPS is bypassed and it is a complete waste of time. In the office our firewall (different vendor) intercepts the HTTPS traffic and we can block/restrict it, but now everyone is at home we have lost this protection. Is there any way I can block file types and web pages delivered over HTTPS for my home workers? 
 TIA 
 Stuart

QC · Accepted Answer

Hello Stuart, 
 the world is going HTTPS it already went, and crooks were by far not the last. 
 As MEric has said, you'll likely need some network device to inspect HTTPS traffic - and even then it's not trivial. Security, privacy, authentication, non-repudiation, and - not to forget - availability and performance are not independent. Pushing one too far at least one of the others will suffer. Whatever you do it's a trade-off. HPKP (HTTP Public Key Pinning) seemed to be a good idea, it has meanwhile been deprecated. Sometimes certain practices, like HTTPS, are imposed on you that make other procedures arduous or even impossible. 
 Without inspection you can't block or allow certain URLs (paths) only sites/hosts ( and even this might not work as expected ), you can't block the download of files with certain extensions, or scan the content while it's still in transit. The latter can be quite a challenge to configure and even where content scanning is possible it has limited functionality on endpoints so as not to break things. 
 how do you manage to secure and restrict HTTPS it depends on the actual risks and the environment. As said, it's always a trade-off. The measures that help to contain Covid-19 also help against other infections but they are "too expensive" to keep them up for a longer period let alone establish them as standard, though in certain areas operating procedures will likely undergo permanent changes. You could deploy hardened devices, connect you home workers via dark fibre, and so on. Who can afford this? OTOH, "The Internet" is not a generally dangerous place. "Accidental dangerous downloads" are rare (at least should be in a work environment), in most cases the source is scam, phishing, social engineering. Of course, someone else's (business partner, agency, government body) site could be compromised. We are talking about HTTPS and thus browsers - AFAIK vectors of file-less malware and, as MEric has said, Endpoint will scan what has been downloaded. BTW: Download reputation doesn't work with Firefox . Even though the article says recently been removed from Firefox it's IIRC quite some time. Apparently a re-introduction of reputation lookup is not high priority. And it anyway only looks up a certain type of executables. 
 Last but not least: Unscannable HTTPS in case of Business device private use or with BYOD is IMO one of the lesser problems. 
 Christian

RichardP · Answer

QC said: 
 OTOH, "The Internet" is not a generally dangerous place. "Accidental dangerous downloads" are rare (at least should be in a work environment), in most cases the source is scam, phishing, social engineering.

:D 
 
 My forensics background + career path made me chuckle at this. Oh, to be an optimist again!

However, Christian is correct on all points here. We are constantly looking at improving the balance between threat posture and risk acceptance in the product. On the one hand, I firmly support End-To-End encryption in a personal/privacy stance at home and for personal use but its different in a corp environment. Hence the network appliance is a good start. 
 
 On the endpoint, yes it is ideal to snag the item before it is downloaded, but even then we have other protection layers. If you are using our Central product you get our Deep Learning engine which will evaluate all PEs at time of execution and can stop them if it determines the PE is malicious. DL is the best defence we have right now against 0day threats and it is very effective. We also full scan any PE downloaded even if it isn't run (as a background process) so if the malware gets on but isn't executed then we'll come along and find it. 
 
 finally, Intercept X operates on the basis of malicious actions are bad no matter who is doing them - so it looks at the things the program is trying to do not what the program is. It will stop malicious actions based on its rules parameters and settings even if the monitored PE is signed. 
 
 So, with a full security suite you get interception chances at: 
 
 Network layer 
 Save to Disk 
 Execution 
 Post Execution - during operation 
 
 I hope this helps. If you have any further questions, please let me know. 
 Sincerely, 
 Richard