HTTPS Compatibility

Certificate Validation

Often, end users have little knowledge about the reliability of a certificate authority, so they will often accept certificate authorities without knowing if they are from trusted sources. To overcome this problem, the Web Appliance includes most reliable certificate authorities, and it can automatically validate certificate authorities from the Sophos certificate authority list. You can also add custom certificate authorities. This allows you to prevent users from accepting certificate authorities.

HTTPS Scanning

To provide secure sessions between commercial or banking sites and users, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during an HTTPS session, the content that is delivered is no less likely to be infected with viruses or other malware.

To scan encrypted content, the content must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end-user’s browser. Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content.

However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated automatically on the appliance using a Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users’ browsers. This can be done as a centralized system administration operation using Group Policy Objects.

In greater detail, here is how the Web Appliance handles HTTPS scanning:

You, the administrator, download the Sophos certificate authority from the Web Appliance and install it in your user’s browsers.
The user requests a secure web page through the Web Appliance.
The secure site and the Web Appliance negotiate a secure connection.
The Web Appliance creates a certificate for its secure session with the user.
The returned page goes through the following process: The secure site sends an HTTPS page to the Web Appliance. The Web Appliance decrypts the page. The Web Appliance scans the contents. The Web Appliance re-encrypts the page. The Web Appliance sends the re-encrypted page to the user, whose browser decrypts the page using the certificate authority installed in Step 1.

HTTPS Compatibility with Sites

Many financial sites require that clients use a specific certificate authority to establish an HTTPS session with the financial institution’s site. During HTTPS scanning, the appliance replaces the client certificate with its own certificate. Therefore, financial institutions that require special client certificates do not support HTTPS scanning. It is highly recommended that administrators enable the option to Exempt Financial & Investment sites from HTTPS scanning for maximum compatibility. This option is enabled by default when HTTPS scanning is enabled.

Some web services are incompatible with proxies that scan HTTPS content, and, therefore, it is recommended that you exempt them from HTTPS scanning. Of these, the Webex service webex.com is exempted from HTTPS scanning by default.

Some software applications use HTTPS for registration and expect specific certificates from the systems that are registering. When HTTPS scanning is enabled and the appliance generates its own certificate, such applications may not operate correctly. Of these, the Windows Vista activation site, sls.microsoft.com, is exempted from HTTPS scanning by default.

For a complete list of known sites that are incompatible with HTTPS scanning, refer to the section Managing HTTPS Scanning Exemptions, and add sites from the list to be exempt from HTTPS scanning as required.