Stop!
This website is blocked

Question

Hello everyone, Recently i noticed a bunch of tickets regarding the following. 
 
 i want to go on facebook, but facebook is blocked. 
 instead of the blocked page i get Error code: SEC_ERROR_UNKNOWN_ISSUER(firefox) or NET::ERR_CERT_AUTHORITY_INVALID(chrome) 
 it works fine if i install the sophos certificate. 
 
 I understand that the certificate must be pushed to end devices, however i can not ask guest users to install the sophos certificate. 
 I also understand that that this can be secured with a public cert. 
 
 This seems so random, as for some customers works just fine, but for others not. 
 I can not ask 200+ customers to buy a certificate to display a blocked page on guest networks. 
 
 Can anyone advise? 
 
 Kind regards, 
 Dragos

Michael Dunn · Accepted Answer

Please note that passthrough.fw-notify.net is for the Sophos SG / UTM and not for Sophos XG. When a user is blocked going to an HTTPS site by category there are two options: 1) We could decrypt the HTTPS and display a block page. If they do not have the CA they will get a browser warning. 2) We could drop the connection. The browser will display an error saying cannot connect You can configure the behavior under Web > General Settings > For errors and block/warn policy actions on HTTPS connections when Decrypt & Scan is disabled.

Michael Dunn · Answer

One of the things I have found to be useful is to describe on their terms. 
 HTTPS was designed to be secure. The people who made the standard and the people who create the browsers intend it to display warnings to make sure the end user is aware that the site they want to go to is not the site that is displaying the page. They want end users to know that even though they went to facebook.com and that is what is on their address bar, the block page they are seeing is not from facebook.com. 
 If you went to a coffee shop and used their free WiFi, you could then access your bank via HTTPS and know that the coffee shop is not stealing your banking information. Even if the coffee shop used an XG, they could not interfere with your connection to the bank without you knowing it. The safety that is provided by the browsers by throwing up a warning is a good thing that protects you as an end user - even if it is annoying for you as an administrator.

Michael Dunn · Answer

That is expected. The block page is displayed using a certificate generated from the Sophos SSL CA. In essence the browser is saying "I want to go to pornhub.com". They get back a page that says "I am pornhub.com and I can prove it because Sophos SSL CA says it is true." If the browser has the CA installed it will say "I believe you, lets see the page", If the browser does not have the CA installed it will say "I'm not sure about this, better check with the human" Once you see the page, you will see it a block page. Alan's reply about passthrough is about the UTM, a different product. The UTM needs both the CA and also passthrough.

Alan Brand · Answer

Technically speaking - that's impossible. If a block page appears while accessing "facebook.com" this page will displayed under the URL "facebook.com". But you won't get a valid certificate for the domain "facebook.com" for obvious reasons. If you import the sophos firewall CA, it will happily create and sign such a certificate "on the fly", but it is trusted only for those clients that have the sophos ca set as trusted - not your guests. Not saying it will working in all cases - there are mechanisms like cert pinning which will even this cert mark as falsification (it has the wrong issuer and wrong hash) but it works in most cases today. For guests you have the option to modify the built-in domain "passthrough.fw-notify.net" to something like "passthrough..com" for which you may get (and probably even have) a wildcard certificate "*..com". Note that there is also "passthrough6" for IPv6. This however dose not solve the redirecting from "facebook.com" to "passthrough.fw-notify.net".

Stop! This website is blocked

Top Replies