Domains you’ve had to add to “Local TLS exclusion list”

I‘m glad to see Sophos has a “Managed TLS exclusion list” for exclusion from SSL/TLS inspection. There’s obviously still websites/apps we will find that have issues but I’m not sure what the formal way is to submit those domains. I figure maybe this thread would be a good way for folks to share. This assumes:


1. You’re using the “Managed TLS exclusion list” in the default “Exclusions by website or category” SSL/TLS inspection rule.
2. You’re using the “Maximum Compatibility” Decryption profile in your SSL/TLS inspection rule.
3. You’ve verified TLS 1.3 decryption isn’t the issue (i.e. tried with “Downgrade to TLS 1.2 and decrypt” setting).

 

Domain - App Type (e.g. mobile app, website, etc.)

instagram.com - Instagram iOS app
facebook.com - Facebook iOS app
fbcdn.net - Loading of media in Facebook iOS app
nest.com - Nest iOS app
ecobee.com - Ecobee iOS app
ring.com - Ring iOS app
cujo.io - Cujo iOS app

Parents
  • Hi Shred,

    I found facebook was being blocked by my application filter not by DPI. For the moment I have allow all in the application filter setting.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I've added quite a few over time. Even if it gives some insights about some apps and IoT devices I'm using and other informations - I post the list here (without bigger explanation...) - hope it helps some others to get some stuff working

    www.apple.com
    www.youtube.com
    www.netflix.com
    whatsapp.net
    androidwearcloudsync-pa.googleapis.com
    google.com
    android.clients.google.com
    play.googleapis.com
    groupemutuel.ch
    apple.com
    olmprodpowerlift-cdn.azureedge.net
    samsungosp.com
    api.smartthings.com
    one.viseca.ch
    dqa.samsung.com
    windows.net
    mobile.pipe.aria.microsoft.com
    samsungapps.com
    api.worxlandroid.com
    api.io.mi.com
    account.xiaomi.com
    api.xiaomi.com
    dls.di.atlas.samsung.com
    iot.eu-west-1.amazonaws.com
    apis.samsungiotcloud.com
    client.smartthings.com
    launchdarkly.com
    samsungiotcloud.com
    office.com
    office365.com
    sophos.net
    acompli.net
    outlookmobile.com
    microsoftonline.com
    outlookmobile-office365-tas.msedge.net
    spotify.com
    spotify-com.akamaized.net
    microsoft.com
    msedge.net
    duosecurity.com
    dyson.com
    msg-easytax.ch
    msftauth.net
    force.com
    salesforce.com
    whatfix.com
    darkbytes.io
    eum-appdynamics.com
    zoom.us
    nexusrules.officeapps.live.com
    live.com
    connectivitycheck.gstatic.com
    googleusercontent.com
    gvt1.com
    android.googleapis.com
    cdn.jsdelivr.net
    youtubei.googleapis.com
    elastic-payments.com
    firebaseio.com
    revolut.com
    firebaseremoteconfig.googleapis.com
    shazam.com
    haustechnikdialog.de
    xbox.com
    duckduckgo.com
    console.aws.amazon.com
    grc.com
    emirates.com
    api.snapcraft.io
    scsstatic.ch
    odrs.gnome.org
    blinkist.com
    blinkist.io
    h-hotels.com

  • You added all these to the TLS exclusion list? Might as well turn decryption off, lol.

    What's wrong with google.com, emirates, and all those Microsoft domains? Works just fine with SSL/TLS DPI Decryption on.

  • Bjoern Freiherr said:

    You added all these to the TLS exclusion list? Might as well turn decryption off, lol.

    What's wrong with google.com, emirates, and all those Microsoft domains? Works just fine with SSL/TLS DPI Decryption on.

     
    Have you taken a look at the “Managed TLS exclusion list”? There’s quite a few domains on there, to include some Microsoft domains.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Yep, but they are specific subdomains with issues and the list is updated automatically, so no reason to add them again manually or list a bunch of first level domains. Just wondering if the huge list that was posted was really meant for this. I haven't encountered many issues with TLS decryption yet.

  • The issues appear to have reduced significantly since the release of EAP2.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • That's a common misbelief, that people think if TLS interception is used, that any website has to be MITM'ed / scanned. In a perfect world that would be true, if MITM throughput isn't a cost factor, and no sites get broken by MITM'ing them.

     

    However, while "normal" websites works without issuesif they get TLS scanned (besides of probably slower video starts and intermittend hickups during streaming), most of the exceptions are done for the Mobile and IoT devices usage here.

    For example - google can be TLS scanned perfectly without issues if only used in the web browser. But Google search on Android devices (also voice search) is broken if MITM'ed. Instead of searching all the required subdomains or specific hosts to get that working I simply excluded google.com, as I see Google as a "trusted" provider (in terms of "I don't expect them to deliver me malware").

    Other sites presents/makes use of client certificates to authenticate a client, and MITM'ing breaks such apps. Those are in special many of the "api.xxx" sitres, or authentication sites as msftauth.net for example.

    Lot's of them are excluded due IoT devices (and especially their apps on the mobiles) to not break communication. There are all the mi, dyson, samsungiotcloud etc. sites...Also here - instead of searching any single host and subdomain I see those providers as trusted ones and simply exclude the whole domains.

    Same with blinkist or spotify content sites. While the webbrowser works well with intercepting, the mobile apps gets partly broken without exclusions, as no blinkist or spotify content downloads possible to the app.

    There is in general the recommendation to generally exlude specific categroies/websites from TLS scanning, which are considered trusted and unlikely to provide malware as streaming sites (Netflix, Youtube, Vimeo etc.) or Banking sites (ubs.com, postfinance.ch etc.) - so they are excluded in my enviroment to speed up things (streaming), lowering decryption load on my appliance and be compliant (banking doesn't like to get their traffic intercepted).

    I'm also aware, that the Sophos Managed exclusion list is growing steadily, so doublettes with my list may occur. But I started collecting my exclusions already at the sophos internal EAP0 before public beta started, where the Sophos provided list was little shorter ;o)

    So I'm doing here best practice by excluding problematic or trusted providers from TLS scanning. If I would be more paranoid and willing to spend hours to find the exact hosts or subdomains, I could slim down the domains to more exact hosts/subdomains, but personally I'm fine with those excusions, which provides a well working enviroment including mobiles and IoT devices, but enough security to get all not trusted providers TLS scanned.

    Finally it's a question of how hard you want to make your lifes to reach a specific security and useability level. I believe handling of TLS scanning is the perfect example for living the Pareto 80/20 principle ;o) Finally most of your customers are not willing to pay the hours spent to fix TLS exclusions on a macro level - I have (since SSL Scanning in ASG7.4 got introduced) a quite pragmatic approch handling TLS scanning which works perfectly well.

    As said initially - you don't have to use the list 1:1 - but you may use it as a starting point for your personal exclusion list,

Reply
  • That's a common misbelief, that people think if TLS interception is used, that any website has to be MITM'ed / scanned. In a perfect world that would be true, if MITM throughput isn't a cost factor, and no sites get broken by MITM'ing them.

     

    However, while "normal" websites works without issuesif they get TLS scanned (besides of probably slower video starts and intermittend hickups during streaming), most of the exceptions are done for the Mobile and IoT devices usage here.

    For example - google can be TLS scanned perfectly without issues if only used in the web browser. But Google search on Android devices (also voice search) is broken if MITM'ed. Instead of searching all the required subdomains or specific hosts to get that working I simply excluded google.com, as I see Google as a "trusted" provider (in terms of "I don't expect them to deliver me malware").

    Other sites presents/makes use of client certificates to authenticate a client, and MITM'ing breaks such apps. Those are in special many of the "api.xxx" sitres, or authentication sites as msftauth.net for example.

    Lot's of them are excluded due IoT devices (and especially their apps on the mobiles) to not break communication. There are all the mi, dyson, samsungiotcloud etc. sites...Also here - instead of searching any single host and subdomain I see those providers as trusted ones and simply exclude the whole domains.

    Same with blinkist or spotify content sites. While the webbrowser works well with intercepting, the mobile apps gets partly broken without exclusions, as no blinkist or spotify content downloads possible to the app.

    There is in general the recommendation to generally exlude specific categroies/websites from TLS scanning, which are considered trusted and unlikely to provide malware as streaming sites (Netflix, Youtube, Vimeo etc.) or Banking sites (ubs.com, postfinance.ch etc.) - so they are excluded in my enviroment to speed up things (streaming), lowering decryption load on my appliance and be compliant (banking doesn't like to get their traffic intercepted).

    I'm also aware, that the Sophos Managed exclusion list is growing steadily, so doublettes with my list may occur. But I started collecting my exclusions already at the sophos internal EAP0 before public beta started, where the Sophos provided list was little shorter ;o)

    So I'm doing here best practice by excluding problematic or trusted providers from TLS scanning. If I would be more paranoid and willing to spend hours to find the exact hosts or subdomains, I could slim down the domains to more exact hosts/subdomains, but personally I'm fine with those excusions, which provides a well working enviroment including mobiles and IoT devices, but enough security to get all not trusted providers TLS scanned.

    Finally it's a question of how hard you want to make your lifes to reach a specific security and useability level. I believe handling of TLS scanning is the perfect example for living the Pareto 80/20 principle ;o) Finally most of your customers are not willing to pay the hours spent to fix TLS exclusions on a macro level - I have (since SSL Scanning in ASG7.4 got introduced) a quite pragmatic approch handling TLS scanning which works perfectly well.

    As said initially - you don't have to use the list 1:1 - but you may use it as a starting point for your personal exclusion list,

Children
No Data