Hi all,

This weekend we are making some policy changes relating to the SSL/TLS decryption of HTTPS websites. We will be adding a toggle for SSL/TLS decryption into the Threat Protection policy for all customers.

SSL Policy

This new setting will determine if Endpoints not in the Early Access Program (EAP) should decrypt HTTPs websites; it will be set to Off by default.

The settings in Global Settings will remain, it serves two purposes;

1. Set exclusions either by website category or by website name
2. Enable / Disable HTTPs decryption for devices enrolled in the EAP, it is enabled by default

SSL Global Settings

For all customers, the Global Settings page is where categories can be excluded from HTTPs decryption along with individual HTTPs exclusions. Customers not enrolled in the New Endpoint Protection Features EAP will not see the option to enable decryption for their devices

SSL Global Settings

For devices in the EAP, this explains the result of policy settings:

HTTPS Decrypt in Threat Protection policy

HTTPS Decrypt in Global Settings

HTTPS Decrypt Status on the Endpoint

ON

ON

ON

ON

OFF

ON

OFF

ON

OFF

OFF

OFF

OFF

For devices not enrolled in the EAP, when they have been migrated to the new product architecture (see https://support.sophos.com/support/s/article/KB-000043550 for details), this explains the result of policy settings:

HTTPS Decrypt in Threat Protection policy

HTTPS Decrypt in Global Settings

HTTPS Decrypt Status on the Endpoint

ON

ON

ON

ON

OFF

ON

OFF

ON

OFF

OFF

OFF

OFF

These changes will be applied if devices are added to or removed from the EAP. If an account is enrolled to the EAP, the changes will only affect devices once they are enrolled into the program.

Regards,

Stephen

Parents
  • Cannot manage our local Sophos Firewalls with Firefox anymore since my computer joined the EAP.

    SEC_ERROR_REUSED_ISSUER_AND_SERIAL

    Wether I connect with FQDN or IP to XG or SG, this error appears. The firewall Webadmin sites are equipped with a commercial wildcard certificate.

    Firefox is using the Windows Certificates and the Sophos Endpoint CAs are in there.

    It is working with Chrome and Edge. In both I can see, the Connection is signed by the Sophos Endpoint RSA Root

    Other SSL pages load fine with Firefox.

    I can also load other internal SSL management websites with firefox and see the new  Sophos Endpoint RSA Root Cert used there.

  • excluding the 2nd level domain secured by our wildcard certificate or the full FQDN from Intercept-X SSL / TLS scan is a workaround for Firefox.

Comment Children
  • obviously, excluding financial websites like shown in previous screenshot is not working - Intercept-X client does Man-in-the-Middle here, but it should'nt!

    Examples:

  • We will check the SNI field of the ClientHello record against the exclusion list. In theory this is the hostname of the site you entered into the URL bar of your browser. We consider subdomains to be covered by the domain e.g. imagine a wildcard at the left side of whatever you add as an exclusion. Try recording some traffic with Wireshark and having a look at the ClientHello record's SNI field to see what it says.

    We can't see the full URL because at the time of the ClientHello record we haven't decrypted anything yet. And once we start decrypting we cannot stop. Hence the need to make this decision at the ClientHello.

  • I wasn't able to reproduce this myself. If you drop me an SDU then I'd be happy to review the logs. If you want to review the logs yourself then you'll want to check SophosNetFilter.log and look for the ClientHello decision for these domains.

  • Hello, I think I understand the issue. The HTTPS Decryption Exclusions page shows items that are excluded. The per-category controls are enabled (green) when you want to exclude that category from decryption. So in your screen shot above, you've configured it to NOT decrypt the following categories:

    • Downloads
    • Health & Medicine
    • Job Search & Career Development
    • Web-based Email

    Because you've disabled the control for Finance & Investment that category WILL be decrypted.

    The logic is sensible when you think of it as activating an exclusion rather than considering it as turn decryption off.