This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Https Strict Transport Security (HSTS) sites break transparent browser authentication

Hi,

We are evaluating transparent browser authentication with https filter only scanning.

The problem is if user opens a HSTS enabled site, chrome and firefox throws certificate errors and refuse to continue or add a security exeption. So user does not see UTM login page.

If the user opens a http or non HSTS https site first, he can login then the HSTS sites without any certificate errors.

Btw Under Web Protection->Misc->Certificate for End-User Pages ->Use a custom certificate for HTTPS pages is selected. Under there hosname is setted to artvin.edu.tr and use uploaded our wildcard valid certificate. Also in our dns server we have passthrough.artvin.edu.tr. IN A 213.144.15.19
So our users dont get certificate errors on passthrough.artvin.edu.tr pages.

This thread was automatically locked due to age.

Parents

0 TheDrew over 9 years ago

One thing you can do in newer UTM releases (I'm on 9.2x) is to change the HTTPS filtering from Decrypt & Scan to URL Filtering only. If you are mainly concerned with blocking traffic to certain sites but don't need to snoop inside the https session, URL Filtering works fine with HSTS as it only looks at the requested URL (sent in the clear even on https), not the body of the request (encrypted).
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 TheDrew over 9 years ago

One thing you can do in newer UTM releases (I'm on 9.2x) is to change the HTTPS filtering from Decrypt & Scan to URL Filtering only. If you are mainly concerned with blocking traffic to certain sites but don't need to snoop inside the https session, URL Filtering works fine with HSTS as it only looks at the requested URL (sent in the clear even on https), not the body of the request (encrypted).
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data