Web Protection: Content filtering of HTTPS URLs by certificate domain
Enable the option to content filter HTTPS URLs without the full man-in-the-middle interception by doing lookups and categorization on the domains that are reported as part of the certificate exchange. While not as secure as full HTTPS interception, it would solve our problems and remove the need to do the full HTTPS roll-out procedures.
Thomas Gage
shared this idea
4 comments
-
William Warren
commented
right now dns is NOT secured unless you are using a known dnssec server. However if you use the ASG for your dns proxy this functionality shold still work.
-
Josh Beard
commented
I agree. When using, for example, OpenDNS as a forwarder, this functionality works. I would love to see Astaro maintain a list of sites by domain based on category (or use a service like OpenDNS upstream). With SSL vulnerabilities over the past couple of years, the current method of interception seems like it won't be practical for much longer.
Google, for instance, has apparently already started by preventing "non-official" CAs from working with Gmail, and I think we'll see more of this type of thing.
-
Bob Alfson
commented
I thought that the entire message was encrypted so that this couldn't be done, Thomas. Does the client's browser also send the plain text URL with the encrypted message even when Proxy Settings aren't configured?
Cheers - Bob
-
Nar
commented
If this would allow LogMeIn, AT&T Global Connect, and other SSL VPN's to connect, then I would be all for it. I have to make specific proxy bypass and packet filter rules for each of these.
