I have Sophos Cloud and I make a rule in sophos Policies for block Youtube access, but it does not works fine, some users have access to youtube despite of the police.
Thanks Karlos, I am sending you the screenshot for your review
and in "control sites tagged in Website Management"
Thanks for your answer.
Thanks so much for replay, I confirm you that all of users are in the same group, for example in my laptop computer, i use googole chrome and i uses two chrome profiles, in one profile i have acces to youtube and the second profile i haven´t access.
both pictures are in the same laptop and same windows user.
I can't be sure what's going on but can at least explain how it can work and what to check.
The Sophos Endpoint Proxy, which proxies the content at the client to inspect traffic does not crack open HTTPS. Therefore, to classify a HTTPS site it relies on obtaining the SNI record from the handshake. This is basically the domain trying to be accessed. For example:
Given this string the web intelligence service can make a SXL lookup for this domain and get back a category to pass back to the filter to make a decision for the site such as block/warn/allow.
If you add the SNI as a column in Wireshark:
which is:
ssl.handshake.extensions_server_name
You can then add a filter for traffic that contains a SNI. E.g. ssl.handshake.extensions_server_name !=""
If the domain you're trying to block is not in that list then I guess the address will not be obtained for the proxy to make use of. Is this the case?
I wonder if there is a compatibility issue with HTTP/2 (previously know as SPDY) and QUIC. If you look at the traffic in the Developer Tools, Youtube does make use of these:
I wonder if it works with say IE?
Maybe QUIC is being used in one case not another for example? You can disable QUIC to rule that out in the browser settings (chrome://flags/):
Things to toggle anyway.
Regards,
Jak
