Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 3 answers
  • Subscribers 31 subscribers
  • Views 36115 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do you know HSTS?

SicorS.p.A.

Finally I'm trying web content filtering.

I have deployed on every client on my network the sophos certificate, except the mobile clients, and I have activated two basic rules in this order:

- Authenticated user -> Lan -> Wan -> HTTP and HTTPS scan -> no explicit content web filter

- All user -> Lan -> Wan -> no scan -> deny all content filter

So the not authenticated user will be redirected to authentication portal as per captive portal configuration.

The problem is Chrome + Google

When an unauthenticated client (for example a mobile device) opens chrome (that, for Android mobile devices, is the most common browser) it gives the untrusted certificate page, but doesn't allow to continue in order to redirect user to a login page.
With Internet Explorer, that doesn't yet support HSTS the untrusted certificate appear but in the bottom there is the link to continue, and after that it loads login page.
With Firefox you must trust first the modified google/sophos certificate, and after the sophos appliance certificate, and, after that, you are on the login page.
So the problem is only Chrome, but as sayd, for Android devices it is not a small problem.

With Chrome also if I go to a website with HTTPS and no HSTS or to an HTTP page all works perfectly, with sophos login page correctly showed. The only problem is if, as user are used to do, I search on the browser bar, that bar sends me to HTTPS://google.com that have HSTS enabled.
Is there a way to solve this issue?

I know that sophos use the MITM tecnique to popup login page for unhautorized websites, but in my case I want to block ALL websites if user are not authorized/authenticated. For do that I have used Web Content Filter with Deny All. There is a configuration to do this without Web Content Filter? This could be a workaround for my specific case.

Many thanks

Manuel



Edited Tags
[edited by: Erick Jan at 11:19 PM (GMT -7) on 15 Sep 2022]
  • 0

    no! HSTS says every connection must be ssl encrypted. hotspot login have in future more and more problems with it.

  • 0

    Hi Manuel,

    Greeting.

    The solution to this is quite simple. Navigate through the options:

    • System
    • Authentication
    • Authentication Services
    • HTTPS Redirection - deselect this check box.

    This will not direct unauthenticated User to HTTPS based Captive Portal and the HSTS error will be resolved.

    Thanks

    Sachin Gurung

  • 0 in reply to sachingurung

    But he got an ssl error. Unauthenticated user normally not an patched maschine.

  • 0 in reply to MarcoScholl

    Hi all

    HSTS is end to end checking from client to server for unsolicited proxy attempts. User authentication redirect will be detected as an unsolicited MITM attack so the client and server will crash the connection with a do not proceed, pass go and collect $200.

    HSTS, or HTTPS Strict Transport Security, effectively kills off any attempt at doing any kind of HTTPS redirection in transparent filtering mode even if the client trusts the Appliances' Cert!

    There is only one way to get round this and that is to use a solicited proxy and setup web proxying under System > System Services > Web Proxy and deploying the SSL Cert found under Objects > Identity > Certificate Authority as a Trusted Root Certificate.

    The only other way to get round this to authenticate clients on your network is to deploy and install the Authentication Clients found under System > Authentication > Authentication Clients in the Clients Section. This will be a tray icon type application that they can login with their credentials then in the web filtering policy you've made, turn off redirection and decrypt and scan HTTPS.

    HSTS is the current bane of my life as I deal with a lot of educational establishments and I say "Proxy technology is 10 years behind the security of today" and that's for deployment through auto configuration.

    Hope that helps,

    Emile

  • 0 in reply to sachingurung

    My configuration is exactly what you have shown, but it works ONLY with HTTPS sites that don't uses HSTS. This is the problem.

    Google, Facebook, Twitter and so much more uses HSTS and this send you in another page, different from the tipical SSL certificate warning page, here some examples

    HTTPS with HSTS

    and this one is without HSTS

    as you see, the one with HSTS don't let you to continue with a link as on the sites withous HSTS

  • 0 in reply to SicorS.p.A.

    Hi Sic,

    In cases where HSTS is not used and the devices trust the XG's certificated you might be ok and not get any problems in redirection or you are allowed to click to proceed.

    However transparent webfiltering with Decrypt and Scan is not effective and causes issues with the way browser security operates today. The only way to mitigate this is by using a web proxy so the device actually trusts the proxied connection.

    Regards,

    Emile

  • 0 in reply to Emile Belcourt

    Hi Sic,

    HSTS requires the browser to only allow trusted HTTPS connections, if you have enabled HTTPS inspection and the users browser does not trust the appliance as a trusted root authority to issue certificates on behalf of websites you will not be able to click through.

    If you setup the appliance as a trusted root authority by either importing the certificate authority from the appliance into the browser or computer store or by setting the appliance up as sub-ordinate authority to the customers existing enterprise certificate authority you should not end up blocked by HSTS.

    NOTE: depending on the browser/operating system the mechanism to trust the certificate authority of the appliance will vary, for example with current Windows environments and Internet Explorer/Edge/Chrome often you need to install it into the computer certificate store. You should also note that Firefox does uses its own certificate store, so if the end user is using multiple browsers you might need to install the appliance multiple times

  • 0 in reply to Leon.Friend

    Hi All,

    Thanks for choosing Sophos.

    Please refer the link to refer Sophos SSL CA  installation guide.

    https://www.sophos.com/en-us/support/knowledgebase/123048.aspx

    Thanks

    Sachin Gurung

  • 0

    Hello Manuel,

    Based on problem description looks like you are facing issue with google QUIC protocol implemented in chrome.

    QUIC is the protocol developed by Google for faster browsing experience and it works on UDP transport layer. and chrome uses it to communicate with google's server

    i assume that you have installed appliance's SSL certificate in browser and while clicking certificate information from chrome you should be getting Google's original certificate instead of appliance's certificate as you have enabled Decrypt & Scan HTTPS in security policy.

    QUIC works on UDP port 443 so in order to make it accessible from chrome you need to create firewall rule with action DROP for UDP port 443 to fix the issue

    as if QUIC fails chrome fall back to original TCP connection

    check the same and let us know.

  • 0 in reply to VivekJanjrukiya

    I ran into this problem after turning on Decrypt and Scan HTTPS in XG V16.  Facebook and many other sites didn't want to load, with HSTS errors.  Turning it back off fixed, but not sure what I'm giving up in security.