We have some exciting changes coming to the Endpoint/Server Protection and EDR Features Early Access Program over the next few weeks. One of the biggest changes is the decrypt and re-encrypt of HTTPS traffic between the browser and the web server.
HTTPS inspection will be enabled by default and start rolling out in batches to devices you have enrolled in the Early Access Program (both Endpoint and Server) from July 1st until early August.
When users visit websites via browsers the Sophos endpoint will decrypt HTTPS network traffic for the purposes of applying your Threat Protection policy. This decryption allows for deeper and more complete protection, and is recommended for best protection. This inspection technique may, under some circumstances, interfere with successful browsing activity.
Controls for enabling or disabling HTTPS inspection can be found in Sophos Central under the Global Settings page, in the Endpoint Protection section. This settings page goes live on June 19th.
Look for the option “SSL/TLS decryption of HTTPS websites”. This new page offers important controls for managing the HTTPS inspection policy:
There are a few important reasons you may wish to modify those settings:
Several additional situations merit mention:
There will be further updates to enhance the feature over the next few months before we start releasing it to devices outside of the Early Access Program.
Please review the devices you have enrolled in the Early Access Programs and, based on the information above, consider if you need to remove any before we start the enablement on July 1st.
As always, we welcome your feedback about this enhancements and ask that you provide details of your experience so that we can continue to improve the features and your experience of the product.
Update - July 7th 2021: We have released an update to Intercept X to the Early Access Program; the new mitigation is in silent mode currently but will be enabled in the EAP next week. The feature protects the Security Account Managers (SAM) access through regedit and is controlled by this setting in the Threat Protection policy, 'Prevent registry credential theft'
with the feature "Decrypt HTTPS Sites..." enabled and the BETA components installed, should i see replaced certificate in the browser for https sites or not?
As we continue the roll out of the updated EAP agent, here are a couple of points to note:1. If you remove a device from the EAP you should reboot the device to ensure that the Modern Web feature is no longer active
2. If you have web sites using Microsofts IIS feature 'Extended Protection for Authentication' you may need to add a HTTPS exclusion to allow site accesshttps://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/extended-protection-for-authentication-overview
Hello, if the policy is set to decrypt, then yes the EP will still decrypt traffic that has come via a proxy or firewall
What happens if we already carry out SSL intercept, e.g., behind a web proxy or a firewall? Will the endpoint still try to decrypt the traffic?