Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 4530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blog: Could Sophos Antivirus Web Protection cause a privacy concern for your org.?

teched_01
https://labs.portcullis.co.uk/blog/could-sophos-antivirus-web-protection-cause-a-privacy-concern-for-your-organisation/

The blog post above looks at Endpoint Web Protection with the http based SXL lookup and returned values.  Similar data appears available via DNS based SXL lookups but I'm not sure what, if anything, uses the DNS mechanism.

"tr a-z n-za-m" works for ROT13 on lowercase and works on the Sophos UTM.

A previous thread touched on some potential privacy/disclosure concerns https://community.sophos.com/products/unified-threat-management/astaroorg/f/53/t/33654 other threads may exist.

Further, could a sufficiently interested/malicious actor spoof/manipulate responses to potentially alter web policy enforcement?  According to my tests: Yes.


This thread was automatically locked due to age.
Parents
  • 0

    Further, could a sufficiently interested/malicious actor spoof/manipulate responses to potentially alter web policy enforcement?  According to my tests: Yes.
    Could you elaborate on your testing methodology that makes you think that? Information leak I can understand but you are leaking to the DNS provider anyway so what if they have the whole URL. Most of the time going to badsite.c o m is enough to raise eyebrows.Your DNS provider probably already has that information so in essence it can be subpoenaed / tracked. Tracking  badsite.c o m/badpage/reallyreallybad.htm doesn't make it any worst. A man in the middle snoop for sophos sxl traffic is moot considering that if someone is snooping probably 90+ percent traffic of average user is not ssl encrypted so can be easily tracked by the ISP ROT13 or not.

    Just wondering.
Reply
  • 0

    Further, could a sufficiently interested/malicious actor spoof/manipulate responses to potentially alter web policy enforcement?  According to my tests: Yes.
    Could you elaborate on your testing methodology that makes you think that? Information leak I can understand but you are leaking to the DNS provider anyway so what if they have the whole URL. Most of the time going to badsite.c o m is enough to raise eyebrows.Your DNS provider probably already has that information so in essence it can be subpoenaed / tracked. Tracking  badsite.c o m/badpage/reallyreallybad.htm doesn't make it any worst. A man in the middle snoop for sophos sxl traffic is moot considering that if someone is snooping probably 90+ percent traffic of average user is not ssl encrypted so can be easily tracked by the ISP ROT13 or not.

    Just wondering.
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?