Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Web Protection: Content filtering of HTTPS URLs by SNI

Enable the option to content filter HTTPS URLs without the full man-in-the-middle interception by doing lookups and categorization on the domains that are reported as part of the certificate exchange. While not as secure as full HTTPS interception, it would solve our problems and remove the need to do the full HTTPS roll-out procedures.

69 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Thomas GageThomas Gage shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Thomas GageThomas Gage shared a merged idea: Web Security: Classification of HTTPS CA URL's  ·   · 
    Eric R. ChiaramonteEric R. Chiaramonte shared a merged idea: WebSecurity: HTTPS Allow Tunnelling Applications  ·   · 

    6 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Gene CGene C commented  ·   ·  Flag as inappropriate

        A similar feature was present in the Sophos Web Appliance system. I'll welcome this feature coming over.

      • Thomas GageThomas Gage commented  ·   ·  Flag as inappropriate

        TLS SNI appears to finally be supported by MS in Windows Server 2012, and already in Apache 2.2.12 using mod_ssl - so hopefully everyone will benefit.
        That said, how will this be handled in the case of a web server that does not yet support SNI?

      • William WarrenWilliam Warren commented  ·   ·  Flag as inappropriate

        right now dns is NOT secured unless you are using a known dnssec server. However if you use the ASG for your dns proxy this functionality shold still work.

      • Josh BeardJosh Beard commented  ·   ·  Flag as inappropriate

        I agree. When using, for example, OpenDNS as a forwarder, this functionality works. I would love to see Astaro maintain a list of sites by domain based on category (or use a service like OpenDNS upstream). With SSL vulnerabilities over the past couple of years, the current method of interception seems like it won't be practical for much longer.

        Google, for instance, has apparently already started by preventing "non-official" CAs from working with Gmail, and I think we'll see more of this type of thing.

      • Bob AlfsonBob Alfson commented  ·   ·  Flag as inappropriate

        I thought that the entire message was encrypted so that this couldn't be done, Thomas. Does the client's browser also send the plain text URL with the encrypted message even when Proxy Settings aren't configured?

        Cheers - Bob

      • NarNar commented  ·   ·  Flag as inappropriate

        If this would allow LogMeIn, AT&T Global Connect, and other SSL VPN's to connect, then I would be all for it. I have to make specific proxy bypass and packet filter rules for each of these.

      Feedback and Knowledge Base