Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 28 replies
  • Answers 2 answers
  • Subscribers 34 subscribers
  • Views 114939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Decrypt and Scan HTTPS invalidates HTTPS certificates

LanhamRattan

I suppose I need to better understand Decrypt and Scan HTTPS Malware Scanning.  I noticed that when browse HTTPS site  the cert is replaced by the Sophos Cert.  So, my question is why and how to troubleshoot. If I turn Decrypt off then all is fine.



This thread was automatically locked due to age.
Parents
  • +1

    This is the way HTTPS filtering - just about ANY HTTPS filtering - has to work. HTTPS is an encrypted protocol. Normally, a "middle-man" - like a firewall - cannot snoop on the traffic at all. It has no way to decrypt the traffic, as the two endpoints negotiate the encryption algorithm and pass keys back and forth in such a way as to keep someone from just snooping and impersonating one side or the other.

    The only way, then, to decrypt and scan that traffic, is to perform what, in the wild, anyway, would be the equivalent of a "man-in-the-middle" attack. The firewall therefore acts as the "client" and talks to the secure site, and generates a "fake" certificate to talk to the client, thus impersonating the secure site.

    To resolve this: Trust the root certificate of the XG box. Then the https certificates will appear valid in your browser.

    You will have this problem on ANY device - XG, UTM, Watchguard, etc - that performs deep HTTPS inspection.

  • 0 in reply to ChavousCamp
    Sorry to be ignorant, how do I trust the XG root cert? Also, thank you for the explanation.
  • 0 in reply to LanhamRattan
    Shamelessly copying this from one of my other posts on this forum.....


    Go here: Protection > Web Protection > Web Content Filter, find HTTPS Scanning CA. See which one is listed. (I can't remember which is the default, and we use a custom CA here)

    Then go here: Objects > Identity > Certificate Authority, find the CA listed above and click the download button on the far right.

    Then, install that onto each computer in the trusted root store. See KB article here: www.sophos.com/.../42153.aspx for instructions. Those instructions are for the web appliance, but starting at the end of #1, it becomes generic.

    Note - this is not perfect. There are devices - like the roku and others - that have their certs built in and there ain't crap you can do for it.

    As such, to exempt a specific device from policy, you can either create rules for them based on their IP, or create clientless users here: Objects > Identity > Clientless Users for your other devices and then create one rule exempting the clientless users group from from https filtering. You can also create a separate wireless network on a separate network segment and exempt all of that traffic from scanning - almost like a guest wifi or something. There are options.

    Clientless group instructions:

    1) Create a clientless users group
    Objects > Identity > Groups
    Add.
    Enter a group name.
    Group Type: Clientless
    Quarantine Digest: Disable
    Save.

    2) Create Clientless users for each exempt device.
    Objects > Identity > Clientless Users
    Add (or add range, if they are in a specific range)
    Enter a username - something descriptive for the device (ex: ccamp-iphone)
    IP Address: the internal ip address
    Group: The clientless group you created in step 1
    Name: Some name. Descriptive. "My Iphone"
    Email: fake an email address. Next version won't require this.
    Description: More useless description info. Not required.

    Click the plus sign if you need to add additional devices.

    Click save.

    3) Create security policy
    Security Policies
    Click on your HTTPS filter rule, click the plus sign, click "Above (User/Network Rule)"
    About this rule---
    Name: Allow Clientless to Bypass Filter
    Identity---
    Match Rule based on user identity: On
    User or Groups: Clientless Group created in step 1
    Source---
    Zone: Lan
    Networks: Any
    Services: HTTP,HTTPS, others if you need them, but these suffice for this walkthrough
    Destination---
    Zone: WAN
    Networks: Any
    Malware Scanning---
    Scan FTP OFF
    Scan HTTP OFF
    Decrypt & Scan HTTPS OFF

    Save.

    This bypasses the specific clientless devices you created from the webfilter entirely. This is actually a reasonably good solution - and may be the "best" solution for roku/appletv/chromecast and other fixed devices that do not regularly leave your network.
  • 0 in reply to ChavousCamp
    You are correct in a limited way I do not have a deep understanding as you provided. All your post did is re-enforce my original statement. If an XG or UTM 9 can do the interception, why can't a bad guy using the same techniques? Isn't that how NSA and others have got access to data in encrypted streams? The only way is to build your own encryption between you and the people who are important to you with no allowed certificates except the one you provide otherwise your trust of the connection is broken.
  • 0 in reply to IanMorehouse

    (sigh)

    That is ONE extreme level of security, but of you require that level of security, you need to go ahead and disconnect yourself from the internet and create a private network like the gov't does in a SCIF. You aren't going to find that level here.

    The KEY to the SSL/TLS security is the fact it is "secure enough." Your BROWSER or OPERATING SYSTEM is supposed to alert you when a connection is not *trusted*. Thus, NSA and black hats would NOT be able to just bypass SSL... WITHOUT YOUR KNOWLEDGE. Can they? Yes. Will you be alerted to a potential threat? YES.

    You can probably even set your browser to reject untrusted certs outright. I think there is a policy setting in there somewhere.

Reply
  • 0 in reply to IanMorehouse

    (sigh)

    That is ONE extreme level of security, but of you require that level of security, you need to go ahead and disconnect yourself from the internet and create a private network like the gov't does in a SCIF. You aren't going to find that level here.

    The KEY to the SSL/TLS security is the fact it is "secure enough." Your BROWSER or OPERATING SYSTEM is supposed to alert you when a connection is not *trusted*. Thus, NSA and black hats would NOT be able to just bypass SSL... WITHOUT YOUR KNOWLEDGE. Can they? Yes. Will you be alerted to a potential threat? YES.

    You can probably even set your browser to reject untrusted certs outright. I think there is a policy setting in there somewhere.

Children
No Data