HTTPS

From Edge Threat Management Wiki - Arista
Revision as of 08:16, 15 February 2016 by Dmorris (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

HTTPS is HTTP over SSL. Untangle applications (like Web Filter) will typically filter web request by reading them transparently as they are sent to the server. The applications are free to block requests, modify them, redirect them to other places and other actions.

HTTPS, however, is much more difficult because it is encrypted between the client and the server. Because Untangle sits in between the client and the server, all it sees is an encrypted stream. It is unable to see the web request or modify it.

Because of this, dealing with HTTPS properly requires some extra steps. Untangle provides a few ways to deal with HTTPS. Choosing the right one depends on the goals and desires of your organization.

Web Filter without SSL Inspector

The first and most common way to deal with HTTPS is to enable the options in Web Filter that allow it categorize HTTPS sessions by "SNI" IP or cert information. Basically these options allow Web Filter to handle HTTPS without decrypting it. To read more about these options read Web_Filter#HTTPS_Options.

Advantages

  • This technique is very simple to deploy and maintain.
  • It requires no changes on the client.
  • This technique is usually effective with blocking categories.

Disadvantages

  • Options that rely on modifying the stream will not work (Youtube for Schools, Safe-Search enforcement).
  • The URI of the request is encrypted so only the domain is known. This means sites will be either blocked or not which may be undesirable for some sites (like Wikipedia) where you want to allow some content but not other content.
  • HTTPS block pages will display an certificate warning if the client does not have Untangle's root CA cert installed.

SSL Inspector full inspection

SSL Inspector decrypts HTTPS and re-encrypts it on the server side and maintains two separate encrypted channels. Between the two encrypted channel normal unencrypted HTTP flows through the other applications. SSL Inspector can do this task on all HTTPS traffic giving the admin full control over all HTTPS traffic.

Advantages

  • Very powerful.
  • Full featured.

Disadvantages

  • Requires new root certificate to be added to all clients' browsers and O/S's.
  • May cause higher load if the server is processing heavy amounts of HTTPS traffic.
  • May interfere with certain HTTPS apps with hardcoded certs and require "ignore rules" to be added.
  • The administrator, not the user, is now responsible for deciding which upstream certificates are accepted in some cases (self-signed certs etc) and configuring these cases.

SSL Inspector partial inspection

Similar to above admins can use SSL Inspector on only important HTTPS traffic, like google.com, youtube.com, facebook.com, etc while handling other HTTPS traffic as encrypted channels. This is similar to the above but slightly less maintenance overhead because only certain HTTPS sites are effected.

Advantages

  • Very powerful
  • Most features (Safe Search enforcement, logging of searches, etc) still work.
  • Doesn't touch critical HTTPS to banks and other applications.

Disadvantages

  • Requires new root certificate to be added to all clients' browsers and O/S's for monitored sites.
  • May cause higher load if lots of HTTPS traffic.