UTM 9 Home - Difficulties with Wells Fargo site

Hi, James, and welcome to the UTM Community!

I always configure the following Exception:

Cheers - Bob

I think Bob's settings only apply when https scanning is enabled.

Certificate checking ensures that you are on the intended site, that your packet was not hijacked.   I strongly advise requiring certificate verification.  But again, with https inspection turned off, this check is done by your broweser, not by UTM.

Most likely, the site is loading content from someplace other than wellsfargo.com, so your exception is irrelevant.  Remove all of your exceptions and re-test with live log running.   Look for things that are blocked or warned or otherwise associated with your delay.

This also assumes that you have a current browser with tls 1.2 enabled.  Their site will not accept tls1.0. (Courtesy of ssllabs.com for that test result))

Thanks for that comment, Doug, as it's making me rethink this.  It's been so long since I made the decision to skip the Certificate Trust Check that I can't remember why.  I wonder now if there was a problem with the UTM at the time.  I'll remove that from the Exception on our UTM and see if there are any problems.

EDIT a few minutes later: The Exceptions created by Sophos and by WebAdmin include skipping the certificate Trust Check, so I haven't changed those.  I wonder now if I wasn't skipping that because of the Sophos (Astaro) examples.

Cheers - Bob

Your recommendation was probably a response to frequent false positives, which we have discussed in other posts.   

• UTM 9.4 rejected any site with a missing intermediate certificate and any site with an included root certificate.   
• UTM 9.5 is presumed to ignore unwanted root certificates, but still has the intermediate certificate problem. 
  (I only say "presumed" because I have not upgraded and no one in this forum has commented one way or the other.)

Finding the affected sites in the log files can be difficult (itmid=0002, action=block, error=""), and then you need another test tool to determine what is wrong with the certificate.  Finding and installing intermediate certificates is a bit of an obscure art.   So for the home or small business user with limited exposure to the nuances of TLS encryption, skipping certificate checks is an easy workaround, but not an ideal one.

I hope product management grasps why AIA Fetching needs to be undertaken soon.  

It could be that one of the redirects is not being handled correctly or is being blocked.  I would remove your skip, remove the filtering exception and watch the live log when you try to connect.  Most banking sites have some kind of DDoS protection service in front of their sites and it may be that call that is being blocked.  It could be a third party fingerprinting javascript as well that they have set up so people aren't using ad-blocker on their site.