SSL Inspection

About

SSL Inspection allows WebTitan to process encrypted HTTPS traffic. It achieves this by performing man-in-the-middle decryption and re-encryption of the HTTPS traffic, inspecting the contents of the unencrypted HTTPS traffic.

How HTTPS requests normally work

Put simply, HTTPS is SSL layered over HTTP. The SSL layer has 2 main purposes:

  1. Verifying that you are talking directly to the server that you think you are talking to

  2. Ensuring that only the server can read what you send it and only you can read what it sends back

The SSL connection is established as follows:

  1. The browser will negotiate a secure connection directly to the remote site. Once connected, the server has to prove its identity to the client. This is achieved using its SSL certificate. An SSL certificate contains various pieces of data, including the name of the owner, the domain, the certificate’s public key, the digital signature and information about the certificate’s validity dates. The client checks that it either implicitly trusts the certificate, or that it is verified and trusted by one of several Certificate Authorities (CAs) that it also implicitly trusts. If the remote site uses an unrecognized certificate authority, the user will be first prompted by the browser to inspect and accept this site's certificate authority.

  2. The certificate authority contains a key that verifies the authenticity of the encrypted content that is received from the secure website, and which the SSL software decrypts.

  3. Any information that the user submits to the secure website is also encrypted, and the authenticity of their submission is similarly verified by the certificate authority.

SSL Certificates

When SSL inspection is enabled, WebTitan uses a CA certificate to decrypt SSL traffic. There is one already present on a new install ready to be used or further ones can be created.

Enabling this setting will result in browsers displaying warning messages proclaiming that there is a problem with a requested website's certificate. Though these warnings can be bypassed It is obviously not practical to have to deal with them for every web request, so to prevent warnings from appearing the '.der' file of the CA certificate must be imported into any web browser that will be using WebTitan.

Browser Configuration

The importing of the .der file can vary from browser to browser, below are the methods to import them into all major browsers.

Internet Explorer, Google Chrome or Opera on Microsoft Windows

From your systems 'Network and Sharing Center' go to 'Internet Options'


Go to the 'Content' tab and select 'Certificates'



Make sure you do the below:

Go to the 'Trusted Root Certificate Authorities' tab and click 'Import…', the Certificate Import Wizard will open, click Next.

Click Browse on the next section and find a select your certificates .der file. You may need to select 'All files' in the file type dropdown of the explorer window


Click Next. You should see the 'Place all certificates in the following store' checked and the Certificate store listed as Trusted Root Certification Authorities'. Click Next again and then Finish.

You will receive a 'Security Warning', this is warning that the generated certificate is not from a certification authority, as it has been generated by WebTitan. Click YES to proceed 

Firefox on Microsoft Windows

Open the menu and go to 'Options', then go to the 'Advanced' section and from here 'Certificates'


Click View Certificates, and go to the 'Authorities' tab of the new window. 'Click Import…' and select the .der file that was downloaded from your WebTitan GUI.


Click OK, the certificate has now been imported and ssl traffic can be decrypted without warning messages.

Android Phone

Once connected to the company wifi, use a web browser to navigate to http://WebTitan IP address/ssl/ca.der

This will download the certificate and install it into your Android phones default web browser.

iPhone

Once connected to the company wifi, use a web browser to navigate to http://WebTitan IP address/ssl/ca.der

This will download the certificate and install it into your iPhones web browsers.

Install root certificate using Group Policy (GPO) distribution

The method to deploy trusted root certificates domain wide is described in the below link

http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx

WebTitan Configuration

SSL Inspection is enabled from the 'Filtering > SSL Inspection > Configuration' tab. From here you can choose what traffic to inspect from the drop down menu.


All traffic: Decrypt all https traffic Selected Domains: Only decrypt specific domains, which you can add into the domains field below. All Except Select Domains: Decrypt all https traffic except for the domains you can add into the field below.

From 'Filtering > Certification Authority' you create and download certificates to be imported into users browsers. The .der file of the certificate in your browser must be the same one that is selected from the dropdown CA certificate menu.