This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Update to Facebook Android App breaks web filter

2015:12:01-22:20:58 sophos httpproxy[5409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1571" message="Read error on the http handler 747 (Input/output error)"
2015:12:01-22:20:58 sophos httpproxy[5409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1571" message="Read error on the http handler 749 (Input/output error)"
2015:12:01-22:20:58 sophos httpproxy[5409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1571" message="Read error on the http handler 795 (Input/output error)"
2015:12:01-22:20:59 sophos httpproxy[5409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1571" message="Read error on the http handler 749 (Input/output error)"
2015:12:01-22:20:59 sophos httpproxy[5409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="read_request_headers" file="request.c" line="1571" message="Read error on the http handler 747 (Input/output error)"

The recent update to the Facebook Android App causes an issue with the web filter.

I have it set up "Decrypt and Scan" option, not just the "URL Filtering" option. I haven't tried switching it, as I prefer the much more invasive option. THis happens EVERY time the facebook app tries to connect. And not just from one device, but from all of it. 

Something the facebook app is doing has changed and it's causing issues with the filter. 



This thread was automatically locked due to age.
Parents
  • iOS has had this issue for quite some time now. Many companies are now validating certificates through the application itself. From my understanding, Facebook has now included the info for its certificates in the app itself and so it recognizes when it receives a certificate from your UTM and not one of its own servers. This is an article that talks about Google Drive and Palo Alto's approach to it, but it explains what I believe to be the same issue.

    As far as solutions, I have elected to use the "Decrypt and Scan the following:" option. Thought it's not as invasive, I mainly use it on sites that shouldn't be visited anyway (explicit or unsafe) and search engines where I would like to know the search terms that have been queried. You may try this option and simply remove "Social Networking" from the list. You would still decrypt the greater majority of your traffic without these issues. 

  • Ugh. I mean, I can understand why. But seriously, why have the option to import CA certs into the OS if the apps aren't going to use them. That's ... scummy.

    But thanks for the info. That definitely fixes the issue. Though I would feel much better if I *didn't* have to do this.
  • SSL decryption will become even harder to use as more apps being implementing this. You'll notice that a lot of CDNs are doing the same thing and won't function when being decrypted. I exclude them from decryption as well. Chrome on iOS is the same way. It will not use an installed profile...you have to use Safari in order to avoid security warnings. 

Reply
  • SSL decryption will become even harder to use as more apps being implementing this. You'll notice that a lot of CDNs are doing the same thing and won't function when being decrypted. I exclude them from decryption as well. Chrome on iOS is the same way. It will not use an installed profile...you have to use Safari in order to avoid security warnings. 

Children
No Data