Web proxy and TLS 1.3

This is not possible. TLS1.3 cannot be scanned via a legacy proxy. You need a DPI engine. 

You can't use DPI for web proxy traffic  - this is traffic when proxy is configured in browser. I guess that DPI engine for transparent checks.

And you cant inspect traffic, which is a 3128 via TLS1.3. Thats the point. TLS1.3 requires a stream based decryption. 

Let's wait if someone from Sophos can comment.
The web proxy here is a client and should be able to connect by TLS 1.3 to any server.

Let's wait if someone from Sophos can comment.
The web proxy here is a client and should be able to connect by TLS 1.3 to any server.

LuCar and I are both from Sophos. 

I can confirm that:

The web proxy, whether running in standard or transparent mode, supports up to TLS 1.2 for decryption.  This applies to both the Client->XG connection and the XG->Web server connection.  If you are not decrypting traffic, it support TLS 1.3.

That effectively means if you are not decrypting traffic then you are fine.  However if you are decrypting traffic and you are using a browser that only support tls 1.3 or going to a website that only supports tls 1.3 you will be blocked.

In practical terms, client->XG communication is internal to your network and high security is not as important.  The XG->web server communication would be improved with TLS 1.3, however pretty much all web servers that support TLS 1.3 also support 1.2 (in fact it is hard to find a test server like that) and ssllabs.com lowers the score for any tls 1.3 only servers.

DPI mode, running in transparent mode, fully supports TLS 1.3 and has a lot more fine tuning of TLS support.

Hello Michael,
thanks for information. Got the point.
Anyway I've hit some servers only on tls 1.3 in past. And I would guess they will raise in time.

So let's say I have web proxy in standard mode listening on port 3128 and doing decryption now.
Can DPI be used to decrypt the traffic for such web proxy usage?

No you cannot do both proxy and dpi for the same traffic.

If you do have servers that only support TLS 1.3 you can add a Web Exception to turn off TLS decryption for them.

Hello Michael,

ok, so now it is clear how it behaves and this is what I was asking. So there is last question.

So the standard web proxy now does not support TLS 1.3 decryption and will not be usable in future without it.
There are some users/companies preffering such mode.

Will Sophos add TLS 1.3 decryption support to standard web proxy or should we consider it as obsolete feature which will be removed in new releases?

Why do you use Direct Proxy in the first place? Is there any kind of advantage of using a direct proxy? 

Hi LuCar,

short story: I use it, because it better suits my needs. That's it.

longer story:
I have another firewall/router in place and it works fine for me. I do not want to touch something what is stable.
The benefit of UTM and now XG is that you can use it as "server" for many security features:

1. web proxy - you can set it in browser and create own rules what should go over proxy in browser's add-on or in PAC file.
I do not want to inspect traffic transparently and make more rules and exceptions on FW itself.

2. email scanning - the MTA mode is excellent. Allows me to do AV/AS and behave as regular MTA.

3. web server - again act as WAF server forwarding request to other server

In my design I'm not able to use effectively transparent features for mail etc. In general I prefer server options (MTA, proxy)
better and more stable. With transparent MITM you may hit more issues then terminating SSL on server. At least my experience.

So these are features you will not find with other similar product. I would say there are still customer's preferring such direct proxies due to some isolation reasons.
For me it is not crucial (home user), I will just stop using it.

The standard web proxy will continue for years and new features are being added.  However new feature development priorities are balanced between customer needs, security, the internet landscape, acceptable workarounds, etc.  Implementing TLS 1.3 on the web proxy will mean that some other feature won't be done instead.  Right now I don't think that TLS 1.3 is a high enough priority that it is in any particular roadmap.  So please continue to rely on the standard mode proxy, but don't expect TLS 1.3 support to be added in the foreseeable future.

Hello Michael,

thanks for this feedback, it is clear statement.
I know that many companies, even some big ones, are still using proxies (cloud, on-premise)
and I wanted to know Sophos's position.

I consider this answered and resolved.