I decided to enable HTTPS scanning for my home network but I'm curious what everyone else's thoughts are. I basically created a MAC Host for the devices I want HTTPS scanning on (computers and mobile devices) and cloned my "LAN to WAN". Within this cloned rule, I set the Source Devices to the MAC Host's I created and enabled HTTPS scanning. This way, only the devices I'm able to install the Sophos certificate on will have HTTPS scanning enabled. I have a lot of other smart home devices (Nest thermostats, Abode security system, etc.) that use HTTPS to communicate with their servers but I obviously can't install the Sophos certificates on. Everything appears to work okay but I noticed there's several apps on my iOS devices that won't work because of a certificate issue - they don't use the Sophos certificate I installed. My solution was to add an exception (Web -> Exceptions) for those apps but the problem is, some of my apps I have no idea what domain to add to the exception list (using their webpage domain doesn't work), but I've emailed those companies to hopefully be able to get the appropriate domain. Anyways, this solution should work but it isn't the most elegant. Also, I don't know if I like the idea of my HTTPS traffic being decrypted from "trusted" websites because now sensitive information is being decrypted between my devices and the server which I think brings up a potential security issue - this assumes there's nothing malicious in the Sophos XG firewall code or hardware it's running on. I'm not really concerned about this as Sophos is obviously a well established company but it's still something to consider because your secure traffic is now being decrypted on your Sophos device.
That being said, this got me thinking - what I really want is the ability to decrypt/scan HTTPS traffic from websites that aren't "trusted" or well known. Is there any reason to decrypt/scan traffic from say, bankofamerica.com? I would think the only traffic you would really need to decrypt/scan is from lesser known websites and/or companies. I know I can already achieve this by just manually adding websites to my exceptions list but this would obviously be very tedious. An idea I had was what if there was a pre-built exceptions list that contained "trusted" websites? This would be a list that could be viewable to the user, but is updated via the Sophos cloud similar to their web/application categories. I know I can add web categories such as "Financial Services" but the problem is I don't know what websites fall under these categories. Perhaps if we could just view what's listed in those categories, we could already achieve this. So these would be my requested features:
- Ability to view what domains are contained in the web categories.
- Ability to search for a domain in all categories (for finding which category a specific domain falls under). EDIT: Just discovered this is possible on the Diagnostics page under ‘URL Category Lookup’.
- Ability for the exceptions list to be set to either an 'AND' or an 'OR' statement. Right now, if I try to add a domain to the exceptions list and add a web category, it's basically an 'AND' statement - the website I added has to match the web category before it's considered an exception. EDIT: It looks like you can still essentially achieve this just by creating a separate exception “rule”, one for categories and one for URLs.
Anyways, would be curious to hear your thoughts on Scan HTTPS. Maybe I'm just being too paranoid and it's overkill for a home network. :) Is Scan HTTPS really necessary for well known, trusted websites? How did you implement Scan HTTPS for your home network?
This thread was automatically locked due to age.
