cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Categorize HTTPS Website and TLSv1.3

Hello Folks,

I am working with a client who has an issue blocking a specific adult categorized website. Security gateway is running R77.30 and management is on R80.10.

While the initial problem was because of an old app db due to which the website used to return as un-categorized. This was fixed, however we started to see that the website was still accessible over HTTPS. Categorize HTTPS websites is enabled (no inspection). 

Most of the known adult websites over HTTP or HTTPS is being blocked except this one (letmerjerk.com). When I ran tests on ssllabs, I did see multiple certificates returning (possible SNI too), but from the capture ran on a test setup and client's environment I saw that the server was returning the CN/DN matching the URL (no SNI). Further to this, while using additional TLS filters on Wireshark saw that the website is negotiating over TLSv1.3.

To confirm the behavior, I tried accessing the website using Internet explorer with TLSv1.2 and 1.1 disabled. Firewall blocked it successfully, while when I use Chrome (from version 63 is built to support TLSv1.3) website opens.

I understand HTTPS inspection is the answer, but we are talking about multiple client offices + multiple firewalls which invites additional work. TAC has been involved, but they don't seem be answering my question on this limitation, but its just a pure reply recommending Inspection to be enabled.

 

Anybody knows if this has been documented/discussed before?

0 Kudos
3 Replies
Highlighted

Re: Categorize HTTPS Website and TLSv1.3

HI @Udupi_krishna 

If you face an issue with only one URL (letmerjerk.com) then meanwhile you can make IP base rule to block this site.

Its resolved two IP 200.63.47.3 and 89.35.39.50.

regards

@Chinmaya_Naik 

0 Kudos

Re: Categorize HTTPS Website and TLSv1.3

I guess there was a typo in the URL, its letmejerk.com. While there are like 4 different IP addresses it resolves to, I wouldn't like to block it based on IP address.

Wrote this discussion post to further dig into the limitation I observed and wanted to understand if Checkpoint indeed confirms this behavior.

0 Kudos
Sigbjorn
Nickel

Re: Categorize HTTPS Website and TLSv1.3

TLS 1.3 is designed to prevent insight, which makes security more difficult.

R80.30 has new SNI features that will make HTTPS Categorization better, but I don't think it supports TLSv1.3 yet.

We discussed this briefly during last CPX, and I think Check Point said they where working on something, but I'm not sure how it will work or when it will be available.

A quick and good summary of how it works can be found in the YouTube clip here: https://community.checkpoint.com/t5/Access-Control-Products/HTTPS-Inspection-and-website-categorizat...

 

0 Kudos