I suppose I need to better understand Decrypt and Scan HTTPS Malware Scanning. I noticed that when browse HTTPS site the cert is replaced by the Sophos Cert. So, my question is why and how to troubleshoot. If I turn Decrypt off then all is fine.
Is it really that easy on a domain? some browser don't use the windows trusted root store, also mobile devices aren't domain joined
Sorry to all,
but T9 while I was driving made a big mistake.
Sorry about that.
As ChavousCamp wrote, for decrypt and scan you have to import the XG certificate inside the Computer Browser. At the moment, XG will show the IP address and not the DNS name. We hope that in Sophos they fix it soon.
I am also buying certificate for the rest of the services.
Sorry if I do not add more details but I am writing from mobile.
I deleted your reply because you used dirty word.
Regards
Let me try a simpler version.
1) HTTPS uses encryption. It is designed so that know one can listen into the conversation without you knowing.
2) If you go to an HTTPS site and it works, then your browser believes that only people who have permission can decrypt the conversation.
2a) It does this because HTTPS:site.com says it is "signed" by a Certificate Authority which your browser trusts.
3) If you to to a site and someone is doing a man-in-the-middle attack and decrypting your communications, your browser gives you a warning.
3a) This is because it is signed by a Certificate Authority you do not trust.
4) That warning prevents evildoers and governments from decrypting. But you could ignore the warning and just keep going.
5) If you decide that having a specific entity listening into the communication is acceptable and you don't want to be warned every time they do, then you install their CA (Certificate Authority).
6) Now every time a site is signed by the CA doing the man-in-the-middle your browser is happy because the certificates are signed by someone they trust.
Installing the CA can be done manually on each computer, or via an active directory push. You can also do things like host the CA on your own internal site and give a link to it in block pages and such so that people can download it and install it easier.
NSA could use the same technique as the XG, but it would still require an action from the computer's admin to install the CA.
Eh... short answer, sixteen again, is NO, it is still not "that easy...."
BUT it is easier.
Here's the thing - and I have been meaning to write about it for a while and just haven't -
** BUYING A SECURITY APPLIANCE - ANY SECURITY APPLIANCE - IS NOT A QUICK FIX TO ANY PROBLEM. **
They are **ALL** designed - even that god-forsaken fish one that squawks on my radio channel all the time about how awesome it is and how it is a be all and end all solution - to be SINGLE PIECE of an overall security policy.
Security policy includes -
Etc, etc etc.
I do ** NOT ** speak for Sophos, but I can say that ** THIS IS EXACTLY WHY ** Sophos only sells their hardware devices through authorized re-sellers. Security is complicated. There is A LOT to think about and a lot to know.
This is also **EXACTLY WHY** Sophos sells multiple layers of products - Endpoint, Encryption, Network Edge, Wireless, Mobile Device Mgt. That is also *EXACTLY WHY* Sophos has spent so much time and effort INTEGRATING all those components so they work nearly seamlessly together. None of them are designed to be deployed in isolation with any sort of expectation that it is a fix for ANYTHING.
If you are using an EMM/MDM solution, you may be able to push a CA cert with that system similar to how AD does it. If you are using enterprise deployment policies for Apple products (YMMV - I know very little about them), you may be able to push a cert onto iOS and OSX devices. Google may have similar for chromebooks.
Everyone loves BYOD, but BYOD has to include some CONTROL - ie an MDM/EMM solution - that keeps data secure and enforces company policy, which can include things like enterprise CA installation.
Even that is not perfect, that still will not solve all the issues. I have apps that *absolutely refuse* to be handled properly under HTTPS decrypt-and-scan. Anything that validates its own certificate before connecting - like some of the Amazon Web Services SDKs - will likely break, because they are not just looking for a valid cert, but a *SPECIFIC* valid cert. Those will have to be excluded.
I can tell you Google Apps *hates* HTTPS d&s. Websocket applications *hate* d&s. Anything that includes its own certificate store - like Java apps - will likely break unless you install the cert separately.
You have to *carefully* plan your traffic to make sure things don't go belly up on you.
I generally recommend a completely separate zone for your employees' personal devices - don't put them on your core network - employ some sort of EMM/MDM solution if they need to access core network resources, and deploy something like Sophos Endpoint on all devices. Note - this is not a "be all and end all" description. Again - lots of planning.
Go back to your re-seller. They can help. If they can't, *FIND ONE WHO CAN* because they are doing you NO GOOD just selling you a device without anything on the back-end to help.
Hello,
Thank you for the great explanations on the issue.
I currently have the Decrypt and scan HTTPS turned off. I go to Google's web site and still get the
'NET::ERR_CERT_AUTHORITY_INVALID'. Error?
I am using the VMware virtual configuration on ESXi 5.5. I have configured a Netgear router ao the same IP subnet as the Xg on 172.16.16.16.
That way I can quickly flip back and forth to test and get back to normal Internet access.
I do want to use this feature in time, but right now I am trying to get the XG just up and running normally, and then work on enabling more features and security.
If I have Decrypt and scan HTTPS turned off, why would I still get the error or issue?
I have been a Astaro ver.7 through UTM ver 9 user, so the XG is / has a bit of a steep learning curve for me. Learning to ride the bike all over again of sorts.
I had issues with my UTM, and the old CPU up and died on me so I decided to bite the bullet and start over on XG. Love the features.
When I switch back to XG I will look into trying to download that cert as suggested in one of the post.
Right now I am looking for a simple quick and easy fix so I no longer get the 'NET::ERR_CERT_AUTHORITY_INVALID'. Error.
Any specific settings to post in a update post to this, if it helps to figure out what I have set or not set correct or need to turn off or on or additional rule? My XG is very close to a basic default install with one default firewall rule.
Sincerely,
Chad
If the XG is trying to redirect you to a captive portal login page or display a block page it will still do a decrypt and scan.
If you go past the warning, what do you get?
UTM and XG behave pretty much the same way with regards to HTTPS, just the configuration screens are different.
Chad, if you are still getting an invalid certificate, then HTTPS Decrypt and Scan is *NOT* turned off or, by, some magic, your browser is still using the same session it did previously and thus getting the error. Double check all the rules, make sure D&S is unchecked, close your browser window, re-open, and try again. Worst case, reboot the Sophos box. Should not be necessary, but hey, stranger things have happened.
Also - do this - check the certificate that you are getting - Make sure it is still the XG's certificate.... The certificate should say it is issued by Sophos SSL CA_xxxxxxxx or SophosCA_xxxxxxxxx. Honestly I can't remember which is the default, it has been so long since I used it. (We use a custom CA issued by our enterprise PKI). Only reason I suggest that is to make sure we are indeed dealing with the Sophos HTTPS D&S and not some other software. Again - stranger things...
Hello,
I did another factory reset and it is off and not getting the issue. When I do decide to enable it, Looks like I will need to add the XG local certificate to all my machines / browsers.
I am on call from work this week so not really making any changes or enabling any more features or rules to XG right now, but Monday the 26th of Dec. I will start to enable more features and functions. Thank you for the information.
Chad
