Overview
Here is the FAQ about HTTPS scanning
Question 1: What is HTTPS ?
HTTPS is the secure version of HTTP, where HTTP traffic is sent over a TLS/SSL encrypted connection. Before the HTTP packets are sent, a TLS/SSL connection is established. This process involves a handshake between the encryption algorithms agreed upon by the client and the server, and the server sends its certificate to the client.
If both the client and server agree on an encryption algorithm, and the client can accurately identify the server, then the connection is established. Subsequently, all traffic will be encrypted. If there is an eavesdropper, they will only be able to see the encrypted traffic without being able to decrypt it.
The only way an attacker can decrypt the traffic is if they intervene in the handshake process and insert themselves into the connection.
In normal circumstances, HTTPS provides assurance to the browser and users that the web server they are connecting to is the intended server and that no one is intercepting or eavesdropping on the traffic.
Question 2: What is Certificate? What is Certificate Authority?
A certificate is a data block that includes the domain hostname, domain owner, and other information. The certificate is verified by a Certificate Authority (CA), which ensures that the information in the certificate is accurate. The verification process plays a crucial role, as any modification to the information in the certificate would invalidate the verification.
The web browser will check the certificate and the issuing organization. If the certificate matches the domain it is connecting to, it will trust and complete the TLS/SSL handshake.
Certificate Authority (CA) can be understood in two senses. It can refer to a special type of certificate with the ability to sign other certificates, or it can be a company that controls certificates. There are many CA companies that have default trust in web browsers (usually as Trusted Root CA or Public Root CA).
Question 3: What is HTTPS Decrypt and Scan?
This feature acts as an intermediary between a fake web server and a fake client when it requests to the actual web server. When you enable “decrypt and scan HTTPS” in the web proxy, it will start performing intermediary decryption of HTTPS traffic.
If the “decrypt and scan HTTPS” feature is not enabled, when a client web browser makes an HTTPS request to a website, the web browser will establish a TLS/SSL connection with the domain’s SNI (Server Name Indication) information. Once the TLS/SSL connection is fully established, the firewall proxy cannot see the requests and responses HTTP inside it. Therefore, it can only perform blocking based on the domain category in the SNI while the connection is still being established. It will not be able to classify or block based on the URL path, and it will not be able to scan for viruses in any downloaded files.
Question 4: What are some security concerns when scanning HTTPS?
HTTPS decryption means that the web proxy can now see the encrypted content inside HTTPS traffic. This means that anyone with access to the firewall can also view this traffic. Therefore, if the firewall does not have a strong password or is not properly secured, enabling HTTPS scanning can make client-side applications less secure. Hackers will have a much larger target compared to just monitoring HTTPS traffic.
HTTPS decryption means that the web proxy will be able to see and log HTTPS traffic. This does not impact security, but it may affect privacy. For example, administrators may be able to see what users are searching for on Google or which URLs they are accessing.
Question 5: Does the AV scan on the web proxy interface with the AV scan on the client?
There should be no issue with scanning twice, and in fact, you can enable two independent scanning features. Scanning once with Avira on the web proxy and then with Sophos AV on the endpoint, using different antivirus providers, may be beneficial.
There are some applications, websites, and devices that may encounter issues with the virus scanning process, as the protective measures are part of the virus scanning process and may disrupt access traffic. If you have specific applications or websites that require web requests for a part of a file, you may need to create exceptions to disable AV scanning for that specific access traffic.
Administrators can create exceptions to prevent virus scanning for certain sources or destinations. Alternatively, they can disable the HTTPS decryption feature for specific access traffic by using exceptions to turn off HTTPS decryption for specific traffic.
Question 6: What are the effects of enabling HTTPS Decrypt and Scan?
Here are a few things to consider when trying to decide whether to use HTTPS Decrypt and Scan
Feature | Decryption requirements |
Blocking of categories | HTTPS decryption is not required, although it does give finer detail. |
Blocking of filetype | HTTPS decryption is required (HTTP only is limited protection). |
Blocking of viruses | HTTPS decryption is required (HTTP only is limited protection). |
Sandstorm | HTTPS decryption is required (HTTP only is limited protection). |
Content Filters | HTTPS decryption is required (HTTP only is limited protection). |
Advanced Threat Protection | HTTPS decryption is required (HTTP only is limited protection). |
Restrict Logins for Google Apps | HTTPS decryption is required. |
Application Control | HTTPS decryption is not required for some applications, although it is required for others. |
Reporting | HTTPS decryption is not required, although it does give finer detail. |
Pharming Protection | HTTPS decryption is not required. |
Search Engine SafeSearch and YouTube Restrictions | HTTPS decryption is not required. |
Some computers and devices may have endpoint software installed to provide protection, but HTTPS and virus scanning at the firewall are the only ways to ensure that all traffic is scanned for all devices
Question 7: Can I enable Decrypt and Scan without deploying anything to the client
No you can not
You must use the CA that comes with the firewall or create your own CA certificate
Question 8: I don’t have HTTPS scanning enabled and haven’t deployed certificates or CAs, why do users sometimes get warnings about certificates ?
You are doing block by category with web filtering
Question 9: What are the recommended ways to reduce or remove warnings for pages ?
Most customers will use the CA that comes with the system by default
Leave a Reply