decrypt and scan https is checked, and I installed the certificate to trusted root container, but no websites are working

Question

I followed the procedures here: https://community.sophos.com/kb/en-us/123048 
 However, I cannot reach any websites anymore, such as google, yahoo, etc, after I have checked the box to "decrypt and scan https" in my firewall rule. What am I doing wrong? 
 I have tried restarting the browser, rebooted the computer, removing the certificate and reinstalling, but nothing works. What can I do to fix it?

rfcat_vk · Accepted Answer

I would investigate your XG DNS settings. Are you users using the XG as their DNS or external DNS? 
 Ian

LuCar Toni · Answer

Stop reading here: 
 You would purchase an SSL certificate from an online CA, like GoDaddy or something like that. 
 
 This is not possible. Or should not be possible. Public signed CA&acute;s are build to only signed your Domain&acute;s not all Domains in the internet. 
 For example, you cannot buy a CA from GoDaddy that builds you a Certificate for google.com and this certificate is trusted by all Clients in the world. This would break HTTPs and the reason for doing it. You could perform everywhere a Man-in-the-Middle attack and nobody would ever notice. 
 It is like LetsEncrypt. This requirement pops quite often, tbh, it would be so easy, just buy a certificate and you could even https scan the traffic of your guest network, could read the https encrypted traffic and read all the passwords etc... You may notice the issue here. 
 If you find a public CA, who does this, just ping me. Would love to do this kind of https scanning everywhere in the world. Just open an public Hotspot and here you go credit card information etc.

Michael Dunn · Answer

ManBearPig, you've hit upon the crux of the issue. 
 
 HTTPS (and the infrastructure around it) was built so that there is no way for a man-in-the-middle to read your data without you knowing (or giving permission). 
 There is no way to perform decryption while at the same time no having to install something on the user device or have a warning pop up. 
 In other words - a coffee shop with free wifi cannot decrypt your web traffic with your bank without you explicitly giving them permission to.

For corporate computers that are connected to active directory, there are various ways to push the CA to the computers automatically, for each browser. 
 For corporately managed phones, there are also ways to push the CA. I'm sure Sophos has a solution. This means the users need to install a management app of course. 
 The problem is BYOD phones and guest networks. The first thing that you should do is keep them off of your main corporate network. You don't want personal phone to have access to your full network, that just adds a huge security hole. They should be segregated so that they only have internet access, else any malware from a personal phone or laptop that connects can spread through your network as it has bypassed your firewall. 
 
 So we are only really talking about personal phones that you have guest wifi to allow internet access so they don't use their data plans. At that point you need to decide whether it is necessary for you to decrypt traffic. Does the benefit outweigh the cost. If someone is blocked are they likely to switch to their data plan. Is it enough to block based on the domain category or do you also need to block filetypes and antivirus everything to personal devices that are not on your corporate network? 
 
 I admittedly don't know much about all the myriad customer configurations and needs. But if you are indeed allowing unmanaged devices on your corporate network but at the same time wanting to manage their internet access, you should probably think carefully about what it is your are doing and why.