Hi all,
We have some exciting changes coming to the Endpoint/Server Protection and EDR Features Early Access Program over the next few weeks. One of the biggest changes is the decrypt and re-encrypt of HTTPS traffic between the browser and the web server.
HTTPS inspection will be enabled by default and start rolling out in batches to devices you have enrolled in the Early Access Program (both Endpoint and Server) from July 1st until early August.
When users visit websites via browsers the Sophos endpoint will decrypt HTTPS network traffic for the purposes of applying your Threat Protection policy. This decryption allows for deeper and more complete protection, and is recommended for best protection. This inspection technique may, under some circumstances, interfere with successful browsing activity.
Controls for enabling or disabling HTTPS inspection can be found in Sophos Central under the Global Settings page, in the Endpoint Protection section. This settings page goes live on June 19th.
Look for the option “SSL/TLS decryption of HTTPS websites”. This new page offers important controls for managing the HTTPS inspection policy:
- enable or disable HTTPS inspection
- optionally exclude HTTPS inspection for websites in the Finance & Investment category
- optionally exclude HTTPS inspection for websites by hostname or IP address
There are a few important reasons you may wish to modify those settings:
- websites which rely upon client certificates as part of authentication will not work by default, and will require an exclusion by hostname or IP address
- websites using outdated and insecure encryption algorithms will not be accessible by default, and will require an exclusion by hostname or IP address
- websites using certificates generated by a root Certificate Authority not recognized by Windows may require an exclusion by hostname or IP address
Several additional situations merit mention:
- websites using self-signed certificates will require users to approve access in their browsers, or re-approve access if done previously
- Firefox users may encounter problems unless the option “security.enterprise_roots.enabled” is set in their browser
There will be further updates to enhance the feature over the next few months before we start releasing it to devices outside of the Early Access Program.
Please review the devices you have enrolled in the Early Access Programs and, based on the information above, consider if you need to remove any before we start the enablement on July 1st.
As always, we welcome your feedback about this enhancements and ask that you provide details of your experience so that we can continue to improve the features and your experience of the product.
Update - July 7th 2021: We have released an update to Intercept X to the Early Access Program; the new mitigation is in silent mode currently but will be enabled in the EAP next week. The feature protects the Security Account Managers (SAM) access through regedit and is controlled by this setting in the Threat Protection policy, 'Prevent registry credential theft'