Domains you’ve had to add to “Local TLS exclusion list”

Hi Shred,

I found facebook was being blocked by my application filter not by DPI. For the moment I have allow all in the application filter setting.

Ian

I've added quite a few over time. Even if it gives some insights about some apps and IoT devices I'm using and other informations - I post the list here (without bigger explanation...) - hope it helps some others to get some stuff working

www.apple.com
www.youtube.com
www.netflix.com
whatsapp.net
androidwearcloudsync-pa.googleapis.com
google.com
android.clients.google.com
play.googleapis.com
groupemutuel.ch
apple.com
olmprodpowerlift-cdn.azureedge.net
samsungosp.com
api.smartthings.com
one.viseca.ch
dqa.samsung.com
windows.net
mobile.pipe.aria.microsoft.com
samsungapps.com
api.worxlandroid.com
api.io.mi.com
account.xiaomi.com
api.xiaomi.com
dls.di.atlas.samsung.com
iot.eu-west-1.amazonaws.com
apis.samsungiotcloud.com
client.smartthings.com
launchdarkly.com
samsungiotcloud.com
office.com
office365.com
sophos.net
acompli.net
outlookmobile.com
microsoftonline.com
outlookmobile-office365-tas.msedge.net
spotify.com
spotify-com.akamaized.net
microsoft.com
msedge.net
duosecurity.com
dyson.com
msg-easytax.ch
msftauth.net
force.com
salesforce.com
whatfix.com
darkbytes.io
eum-appdynamics.com
zoom.us
nexusrules.officeapps.live.com
live.com
connectivitycheck.gstatic.com
googleusercontent.com
gvt1.com
android.googleapis.com
cdn.jsdelivr.net
youtubei.googleapis.com
elastic-payments.com
firebaseio.com
revolut.com
firebaseremoteconfig.googleapis.com
shazam.com
haustechnikdialog.de
xbox.com
duckduckgo.com
console.aws.amazon.com
grc.com
emirates.com
api.snapcraft.io
scsstatic.ch
odrs.gnome.org
blinkist.com
blinkist.io
h-hotels.com

You added all these to the TLS exclusion list? Might as well turn decryption off, lol.

What's wrong with google.com, emirates, and all those Microsoft domains? Works just fine with SSL/TLS DPI Decryption on.

Bjoern Freiherr said:

You added all these to the TLS exclusion list? Might as well turn decryption off, lol.

What's wrong with google.com, emirates, and all those Microsoft domains? Works just fine with SSL/TLS DPI Decryption on.

Yep, but they are specific subdomains with issues and the list is updated automatically, so no reason to add them again manually or list a bunch of first level domains. Just wondering if the huge list that was posted was really meant for this. I haven't encountered many issues with TLS decryption yet.

The issues appear to have reduced significantly since the release of EAP2.

Ian

That's a common misbelief, that people think if TLS interception is used, that any website has to be MITM'ed / scanned. In a perfect world that would be true, if MITM throughput isn't a cost factor, and no sites get broken by MITM'ing them.

However, while "normal" websites works without issuesif they get TLS scanned (besides of probably slower video starts and intermittend hickups during streaming), most of the exceptions are done for the Mobile and IoT devices usage here.

For example - google can be TLS scanned perfectly without issues if only used in the web browser. But Google search on Android devices (also voice search) is broken if MITM'ed. Instead of searching all the required subdomains or specific hosts to get that working I simply excluded google.com, as I see Google as a "trusted" provider (in terms of "I don't expect them to deliver me malware").

Other sites presents/makes use of client certificates to authenticate a client, and MITM'ing breaks such apps. Those are in special many of the "api.xxx" sitres, or authentication sites as msftauth.net for example.

Lot's of them are excluded due IoT devices (and especially their apps on the mobiles) to not break communication. There are all the mi, dyson, samsungiotcloud etc. sites...Also here - instead of searching any single host and subdomain I see those providers as trusted ones and simply exclude the whole domains.

Same with blinkist or spotify content sites. While the webbrowser works well with intercepting, the mobile apps gets partly broken without exclusions, as no blinkist or spotify content downloads possible to the app.

There is in general the recommendation to generally exlude specific categroies/websites from TLS scanning, which are considered trusted and unlikely to provide malware as streaming sites (Netflix, Youtube, Vimeo etc.) or Banking sites (ubs.com, postfinance.ch etc.) - so they are excluded in my enviroment to speed up things (streaming), lowering decryption load on my appliance and be compliant (banking doesn't like to get their traffic intercepted).

I'm also aware, that the Sophos Managed exclusion list is growing steadily, so doublettes with my list may occur. But I started collecting my exclusions already at the sophos internal EAP0 before public beta started, where the Sophos provided list was little shorter ;o)

So I'm doing here best practice by excluding problematic or trusted providers from TLS scanning. If I would be more paranoid and willing to spend hours to find the exact hosts or subdomains, I could slim down the domains to more exact hosts/subdomains, but personally I'm fine with those excusions, which provides a well working enviroment including mobiles and IoT devices, but enough security to get all not trusted providers TLS scanned.

Finally it's a question of how hard you want to make your lifes to reach a specific security and useability level. I believe handling of TLS scanning is the perfect example for living the Pareto 80/20 principle ;o) Finally most of your customers are not willing to pay the hours spent to fix TLS exclusions on a macro level - I have (since SSL Scanning in ASG7.4 got introduced) a quite pragmatic approch handling TLS scanning which works perfectly well.

As said initially - you don't have to use the list 1:1 - but you may use it as a starting point for your personal exclusion list,

Domain - App Type (e.g. mobile app, website, etc.)

naver.jp - Line iOS app
mindbodyonline.com - TruFusion iOS app
pypi.org, pythonhosted.org - pip (Python package manager)
uber.com - Uber Eats iOS app