SSL/TLS inspection vs HSTS

Question

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN. I have push by GPO certificat CA to windows computer. That work just fine for most site. Now I have an issue with site that have HSTS enabled. For those site that enable HSTS. I have to add site to web / URL groups / Local TLS exclusion list and need to maintain that exclusion list so they are not decrypted. But what if I want the automaticaly exclude site with HSTS enabled ? What we know is that HSTS is enabled with a property set in the html header. 
 HTTP/1.1 302 Found Date: Fri, 09 Aug 2024 18:58:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Location: /fr/ Vary: Cookie Strict-Transport-Security: max-age=15724800; includeSubDomains SSL/TLS allow for 2 types of exlusions, certificat and web category (or URL). HSTS is enabled in the web page header with property, so certificat property can not be user to "do not decrypt" HSTS site. Now looking a web site category, I can define a new one. Web site can be categorized by URL, back to square 1 whre I have to maintain a list of URL. That leave me with "keyword". I have try to set Strict-Transport-Security as keyword, but look like header is not scanned for keywords. No luck... Is there a way to automatically detect website with HSTS enable and "do not decrypt" these, or put website with HSTS in a specific URL categorie to skip them ? What are you doing ?

LuCar Toni · Accepted Answer

Looking at this example: 
 You have this situation here: https://support.sophos.com/support/s/article/KBA-000008960?language=en_US 
 
 The webserver is not sending the full chain. 
 https://www.ssllabs.com/ssltest/analyze.html?d=bsdq.org&latest 
 
 SFOS is basically complaining about this. Saying, you have to have the full chain otherwise we will still give the same experience. 
 Browsers sometimes have a workaround to not throw errors, but essentially this website is "badly designed". 
 You can resolve it by the two suggestions in the KB above.

apijnappels · Answer

Browsers will only disallow untrusted certfificates in these cases. That would mean that the ssl-inspection CA is untrusted if that is the reason of this problem. The browser will in that case not give the option to continue visiting the "unsafe" site but it will reject the connection when the server sent a HSTS header before. 
 Browsers do as far as I know and can find not pin last certfificates. That would mean that sites using Lets Encrypt certs will not work anymore when the cert is renewed somewhere within the 90 days the cert is valid or whenever a website owner decides to start making use of a new certificate authority when a cert is renewed. 
 OP states that he did push the cert via GPO so that should not be the problem. 
 Digit23 
 
 You can use developer tools in your browser and see the network tab when loading such site to see if you can find any errors. 
 If using Chrome or Edge you can use chrome://net-internals (which will say it has been changed a bit and will forward you to chrome://net-export to start making exports of your traffic that you can later analyse using a netlog viewer. 
 
 Please let us know if you get any further with it.

LuCar Toni · Answer

Did you review my post? Effective the DPI will forward and not "hide" such a webserver. Thats what is being blocked by the browser. It is not HSTS. It is the proxy reporting invalid CA.

SSL/TLS inspection vs HSTS

Top Replies