https://wiki.edge.arista.com/index.php?action=history&feed=atom&title=HTTPSHTTPS - Revision history2026-04-04T06:21:49ZRevision history for this page on the wikiMediaWiki 1.44.3https://wiki.edge.arista.com/index.php?title=HTTPS&diff=20969&oldid=prevDmorris at 15:57, 12 November 20172017-11-12T15:57:21Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:57, 12 November 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l18">Line 18:</td>
<td colspan="2" class="diff-lineno">Line 18:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* Options that rely on modifying the stream will not work (Youtube for Schools, Safe-Search enforcement).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* Options that rely on modifying the stream will not work (Youtube for Schools, Safe-Search enforcement).</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>* The URI <del style="font-weight: bold; text-decoration: none;">of the request </del>is encrypted so only the domain is known. This means sites will be either blocked or not which may be undesirable for some sites (like Wikipedia) where you want to allow some content but not other content.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>* The URI <ins style="font-weight: bold; text-decoration: none;">and content </ins>is encrypted so only the domain is known. This means sites will be either blocked or not which may be undesirable for some sites (like Wikipedia) where you want to allow some content but not other content.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* HTTPS block pages will display an certificate warning if the client does not have Untangle's root CA cert installed.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* HTTPS block pages will display an certificate warning if the client does not have Untangle's root CA cert installed.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br></td></tr>
</table>Dmorrishttps://wiki.edge.arista.com/index.php?title=HTTPS&diff=3671&oldid=prevDmorris at 08:16, 15 February 20162016-02-15T08:16:52Z<p></p>
<p><b>New page</b></p><div>HTTPS is HTTP over SSL. Untangle applications (like [[Web Filter]]) will typically filter web request by reading them transparently as they are sent to the server. The applications are free to block requests, modify them, redirect them to other places and other actions.<br />
<br />
HTTPS, however, is much more difficult because it is encrypted between the client and the server. Because Untangle sits in between the client and the server, all it sees is an encrypted stream. It is unable to see the web request or modify it.<br />
<br />
Because of this, dealing with HTTPS properly requires some extra steps. Untangle provides a few ways to deal with HTTPS. Choosing the right one depends on the goals and desires of your organization.<br />
<br />
= [[Web Filter]] without [[SSL Inspector]] =<br />
<br />
The first and most common way to deal with HTTPS is to enable the options in Web Filter that allow it categorize HTTPS sessions by "SNI" IP or cert information. Basically these options allow Web Filter to handle HTTPS without decrypting it. To read more about these options read [[Web_Filter#HTTPS_Options]].<br />
<br />
== Advantages ==<br />
<br />
* This technique is very simple to deploy and maintain. <br />
* It requires no changes on the client. <br />
* This technique is usually effective with blocking categories. <br />
<br />
== Disadvantages ==<br />
<br />
* Options that rely on modifying the stream will not work (Youtube for Schools, Safe-Search enforcement).<br />
* The URI of the request is encrypted so only the domain is known. This means sites will be either blocked or not which may be undesirable for some sites (like Wikipedia) where you want to allow some content but not other content.<br />
* HTTPS block pages will display an certificate warning if the client does not have Untangle's root CA cert installed.<br />
<br />
= [[SSL Inspector]] full inspection =<br />
<br />
[[SSL Inspector]] decrypts HTTPS and re-encrypts it on the server side and maintains two separate encrypted channels. Between the two encrypted channel normal unencrypted HTTP flows through the other applications. SSL Inspector can do this task on all HTTPS traffic giving the admin full control over all HTTPS traffic.<br />
<br />
== Advantages ==<br />
<br />
* Very powerful.<br />
* Full featured.<br />
<br />
== Disadvantages ==<br />
<br />
* Requires new root certificate to be added to all clients' browsers and O/S's.<br />
* May cause higher load if the server is processing heavy amounts of HTTPS traffic.<br />
* May interfere with certain HTTPS apps with hardcoded certs and require "ignore rules" to be added.<br />
* The administrator, not the user, is now responsible for deciding which upstream certificates are accepted in some cases (self-signed certs etc) and configuring these cases.<br />
<br />
= [[SSL Inspector]] partial inspection =<br />
<br />
Similar to above admins can use SSL Inspector on only important HTTPS traffic, like google.com, youtube.com, facebook.com, etc while handling other HTTPS traffic as encrypted channels. This is similar to the above but slightly less maintenance overhead because only certain HTTPS sites are effected.<br />
<br />
== Advantages ==<br />
<br />
* Very powerful<br />
* Most features (Safe Search enforcement, logging of searches, etc) still work.<br />
* Doesn't touch critical HTTPS to banks and other applications.<br />
<br />
== Disadvantages ==<br />
<br />
* Requires new root certificate to be added to all clients' browsers and O/S's for monitored sites.<br />
* May cause higher load if lots of HTTPS traffic.</div>Dmorris