SophosWebIntelligence and SSL/TLS

Question

Dear all,

Despite perusing the available documentation and reading pages upon pages of bulletin board replies (both here and elsewhere), and I am still unsure about the role played by SophosWebIntelligence, especially with regard to SSL and TLS.

It is obvious that SophosWebIntelligence proxies data sent to and from supported browsers (Safari, Chrome, Firefox) whether the page loads over HTTP or HTTPS. This suggests that it intercepts the TLS connection in order to run reputation checks and scan any downloads. This, in turn, suggests a lot of tricky issues with privacy and security (keeping in mind that browsers like Chrome are much better at securing TLS transactions than most third-party apps).

Yet, upon examining certificates and certificate chains, I see no obvious signs of a Sophos MITM "attack."

How does the SophosWebIntelligence bundle peek into encrypted streams? Does anybody have any idea?

This thread was automatically locked due to age.

bobcook · Accepted Answer

francoisjoseph wrote:

How does the SophosWebIntelligence bundle peek into encrypted streams? Does anybody have any idea? 
 
 The short answer is: it doesn't peek into encrypted streams. We simply pass the encrypted content through from the server directly to the browser.

The longer answer: we do read the SNI (Server Name Indication) header from the encrypted stream, as this information contains the domain name being visited in clear text. We do the same reputation checks on these sites as we would for unencrypted streams. But because the actual content is encrypted, we cannot perform scanning.

Hope that helps explain what you are seeing. :1021166