This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Your Connection is not Private on Blocked Sites

Hi I'am new to Sophos UTM,

I have a Web Filtering Policy blocking Categories including facebook and youtube.

Some sites when blocked are showing the company's logo with web messages but there are also some sites especially facebook and youtube only showing this.

Your connection is not private

Attackers might be trying to steal your information from facebook.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

 

Please help me fix this. Thank you



This thread was automatically locked due to age.
Parents
  • As I thought the other document explained, this is expected behavior.  You must distribute the UTM root certificate to your client devices to fix the problem.

    To display a block message, UTM must impersonate the destination server.  For HTTP sites, this can be done because HTTP does not validate the responding system.   When the site is HTTPS, UTM has to get past the server authentication test before it can display the block message.  If the root certificate is on the client desktop, the block message displays.   If not, the browser displays a warning.   Most browsers give you the option to proceed anyway.  I believe that Edge will not allow you to proceed past the warning.

    Firefox is difficult because it does not use the system certificate store, but uses a per-user store instead.   At one point I thought they were going to change this, but I don't use Firefox anymore so I do not know if it was ever done.

    If you are having certificate warnings on allowed sites, the problem is different.   IF you have decrypt-and-scan enabled, some connections will fail because UTM and the remote site cannot negotiate a shared ciphersuite.   The workaround is to bypass https inspection for any such sites.

    You may benefit from reading the other material in the WiKi section, and the "Web Filtering Lessons Learned" document which is pinned to the top of the webfiltering forum.   This part of the product works extremely well.  I don't understand what other information you need. 

Reply
  • As I thought the other document explained, this is expected behavior.  You must distribute the UTM root certificate to your client devices to fix the problem.

    To display a block message, UTM must impersonate the destination server.  For HTTP sites, this can be done because HTTP does not validate the responding system.   When the site is HTTPS, UTM has to get past the server authentication test before it can display the block message.  If the root certificate is on the client desktop, the block message displays.   If not, the browser displays a warning.   Most browsers give you the option to proceed anyway.  I believe that Edge will not allow you to proceed past the warning.

    Firefox is difficult because it does not use the system certificate store, but uses a per-user store instead.   At one point I thought they were going to change this, but I don't use Firefox anymore so I do not know if it was ever done.

    If you are having certificate warnings on allowed sites, the problem is different.   IF you have decrypt-and-scan enabled, some connections will fail because UTM and the remote site cannot negotiate a shared ciphersuite.   The workaround is to bypass https inspection for any such sites.

    You may benefit from reading the other material in the WiKi section, and the "Web Filtering Lessons Learned" document which is pinned to the top of the webfiltering forum.   This part of the product works extremely well.  I don't understand what other information you need. 

Children
No Data