Certificate for Sophos Web Protection Warnings?

The new version of Web Protection/Control is shortly to be available in EAP which does decryption of HTTPS traffic.  As a result this will be able to inject messaging into the browser and behave like HTTP traffic does today.

Important Changes to the Endpoint/Server Protection and EDR Features Early Access Program - Announcements - Endpoint EAP - Sophos Community 

Where should one be able to inject  a message into the browser? Sounds like a marketing myth... Also the link you mentioned doesn't provide any information about the feature to inject a message or even HOW to achieve it.

I am suggesting that once the new web protection/control version is released it will be able to inspect HTTPS traffic. As a result it will be able to display block/warn messages as the current version does today.

Hello  ma-edv ,

not a myth (as others, AFAIK, already do it).  Sorry if stating the already obvious. Traffic redirection is there, and interception, scan and/or injection not a challenge when HTTP is used.  While you can read HTTPS traffic you can't modify it as you'd need the sending server's private key. The solution is to "cut" the connection in two, On the one from/to the browser the server must be mimicked, and for this a root CA must to be installed that is used to issue the pretended server certificate.

Christian    .

Fully agree. No one denys that from a technical prospective; we know this "old school feature" from the UTM anyways. But User 930 was stating that there will be that functionality in the new Web Protection/Control.

But at this time, there is no official annoucment from Sophos about introducing it as a "brand new" feature

By the way, this is not entire true anymore. While old school proxies do this (split into two sessions), DPI engines like SFOS (XGS) are actually using the stream. Therefore the packet will be manipulated while flowing through the firewall and not building up a own connection. But the premise is still the same, you have to trust the certificate anyway from the firewall. 

By the way, this is not entire true anymore. While old school proxies do this (split into two sessions), DPI engines like SFOS (XGS) are actually using the stream. Therefore the packet will be manipulated while flowing through the firewall and not building up a own connection. But the premise is still the same, you have to trust the certificate anyway from the firewall.