topic Categorize HTTPS Website and TLSv1.3 in Firewall and Security Management

Categorize HTTPS Website and TLSv1.3

Udupi_krishna — Mon, 29 Jul 2019 10:49:20 GMT

Hello Folks,

I am working with a client who has an issue blocking a specific adult categorized website. Security gateway is running R77.30 and management is on R80.10.

While the initial problem was because of an old app db due to which the website used to return as un-categorized. This was fixed, however we started to see that the website was still accessible over HTTPS. Categorize HTTPS websites is enabled (no inspection).

Most of the known adult websites over HTTP or HTTPS is being blocked except this one (letmerjerk.com). When I ran tests on ssllabs, I did see multiple certificates returning (possible SNI too), but from the capture ran on a test setup and client's environment I saw that the server was returning the CN/DN matching the URL (no SNI). Further to this, while using additional TLS filters on Wireshark saw that the website is negotiating over TLSv1.3.

To confirm the behavior, I tried accessing the website using Internet explorer with TLSv1.2 and 1.1 disabled. Firewall blocked it successfully, while when I use Chrome (from version 63 is built to support TLSv1.3) website opens.

I understand HTTPS inspection is the answer, but we are talking about multiple client offices + multiple firewalls which invites additional work. TAC has been involved, but they don't seem be answering my question on this limitation, but its just a pure reply recommending Inspection to be enabled.

Anybody knows if this has been documented/discussed before?

Re: Categorize HTTPS Website and TLSv1.3

Chinmaya_Naik — Mon, 29 Jul 2019 11:42:46 GMT

HI @Udupi_krishna

If you face an issue with only one URL (letmerjerk.com) then meanwhile you can make IP base rule to block this site.

Its resolved two IP 200.63.47.3 and 89.35.39.50.

regards

@Chinmaya_Naik

Re: Categorize HTTPS Website and TLSv1.3

Udupi_krishna — Tue, 30 Jul 2019 05:16:55 GMT

I guess there was a typo in the URL, its letmejerk.com. While there are like 4 different IP addresses it resolves to, I wouldn't like to block it based on IP address.

Wrote this discussion post to further dig into the limitation I observed and wanted to understand if Checkpoint indeed confirms this behavior.

Re: Categorize HTTPS Website and TLSv1.3

Sigbjorn — Tue, 30 Jul 2019 10:32:06 GMT

TLS 1.3 is designed to prevent insight, which makes security more difficult.

R80.30 has new SNI features that will make HTTPS Categorization better, but I don't think it supports TLSv1.3 yet.

We discussed this briefly during last CPX, and I think Check Point said they where working on something, but I'm not sure how it will work or when it will be available.

A quick and good summary of how it works can be found in the YouTube clip here: https://community.checkpoint.com/t5/Access-Control-Products/HTTPS-Inspection-and-website-categorization-improvements/m-p/55828

Re: Categorize HTTPS Website and TLSv1.3

Nandhakumar — Fri, 19 Nov 2021 16:06:12 GMT

Hi,

After I enabled, categorize https websites on my internet facing gateway, some of the government specific websites stopped working and rest of the internet sites worked well. Any idea what would went wrong?

I havent seen any drops in smart console during the issue reported time.