Web Protection: Content filtering of HTTPS URLs by SNI
Enable the option to content filter HTTPS URLs without the full man-in-the-middle interception by doing lookups and categorization on the domains that are reported as part of the certificate exchange. While not as secure as full HTTPS interception, it would solve our problems and remove the need to do the full HTTPS roll-out procedures.
Enable to option to filter HTTPS traffic on category for transparent proxy mode, based on domain lookup. While it wouldn't be the same as fully investigating the insides of the transaction, it would allow for a method of HTTPS filtering which still could provide some protection.
A captive portal would answer some of this need regarding non-controlled clients - but only if it includes enough user-instructions and "push-button" configuration to make non-controlled clients easy to provision with the needed CA cert, etc.
The portal should work with non-Astaro wireless access points, and it should allow multiple config profiles, for multiple vlans with different needs.
This would include non-authentication options for those services that allow for 802.1x authentication when joining the wireless network, but still need to provide the instructions and push-button config for the SSL CA cert to new clients.
Create a less restrictive HTTPS Scanning where only the URL gets checked allowing some URL Control while allowing SSL based apps to have a more seamless integration
This feature will be part of the UTM 9.2 release which will enter public beta in September 2013 for GA release in November. Stay tuned! However I will adjust this feature as we wil ldo it by SNI not Certificate domain.
Gene C commented
A similar feature was present in the Sophos Web Appliance system. I'll welcome this feature coming over.
Thomas Gage commented
TLS SNI appears to finally be supported by MS in Windows Server 2012, and already in Apache 2.2.12 using mod_ssl - so hopefully everyone will benefit.
That said, how will this be handled in the case of a web server that does not yet support SNI?
William Warren commented
right now dns is NOT secured unless you are using a known dnssec server. However if you use the ASG for your dns proxy this functionality shold still work.
Josh Beard commented
I agree. When using, for example, OpenDNS as a forwarder, this functionality works. I would love to see Astaro maintain a list of sites by domain based on category (or use a service like OpenDNS upstream). With SSL vulnerabilities over the past couple of years, the current method of interception seems like it won't be practical for much longer.
Google, for instance, has apparently already started by preventing "non-official" CAs from working with Gmail, and I think we'll see more of this type of thing.
Bob Alfson commented
I thought that the entire message was encrypted so that this couldn't be done, Thomas. Does the client's browser also send the plain text URL with the encrypted message even when Proxy Settings aren't configured?
Cheers - Bob
If this would allow LogMeIn, AT&T Global Connect, and other SSL VPN's to connect, then I would be all for it. I have to make specific proxy bypass and packet filter rules for each of these.