"HTTPS lite" - would you trust it?

Kaspars_Zibarts · ‎2021-04-26

Bit of a philosophical question.

There are many ways to filter your internal traffic going out to internet, i.e.

IP based filtering
good old explicit proxy, with or without TSL interception
transparent proxy / gateway with TLS interception
or combination of both

All have pros and cons. IP based being least efficient. Explicit proxy often is a burden to automation or impossible to apply in certain instances, whereas transparent option with TLS interception is less "visible" to client itself but issues with certificates keep causing headaches plus interception is resource intensive and expensive.

One option to avoid these challenges would be using "HTTPS lite" or Categorization of HTTPS sites without HTTPS inspection. So clients don't need to specify a proxy nor there is a "man in the middle" messing with certificates.

But of course the downside is the information available in logs - you don't get full URLs, but service names worked out from TLS handshake as seen below. It does limit your ability to determine all risks associated with that connection.

Would you accept this as a"sufficient information" log in your organisation? As highlighted above, classification is not 100%. Is that OK? 🙂

just wondering how you do it 🙂

PhoneBoy · ‎2021-04-26

Keep in mind we’re also using SNI information in current releases and we actually verify the SNI out-of-band.

Kaspars_Zibarts · ‎2021-04-26

Yes indeed, I have taken that into account and that's also the reason to compare different options available. HTTPS lite would be "cheaper" and faster but with less logging and filtering options

Marcel_Gramalla · ‎2021-04-26

Hi,

first I have so tay that the categorization with SNI works very well on the Check Point gateways from my experience. But I also have to say that the depth of the logs wouldn't be enough for a detailed analysis when needed. For example in case of an security incident we might have to know the exact URLs that were used or see precise GET/POST messages.

Also the ability to block specific file types and scan for malware etc. would be a reason alone to not trust the categorization mode in the environments I know. But these are always scenarios with many clients involved and a high chance of a human click on the wrong URLs etc.

But to be honest we are not super happy with the full HTTPS Inspection either with Check Point. The main reason is because of Content Awareness (very few default Data Types, problems with some file types and the bad experience with UserCheck (the UserCheck Client helps but it's not very user friendly in general) and the lack of TLS 1.3 ("supported" in R81 but a feature that isn't enabled in default always sounds like a beta feature and also only with User-Mode).

All experiences are based on R80.40.

Kaspars_Zibarts · ‎2021-04-26

Thanks @Marcel_Gramalla ! Exactly what I want to hear - real life stories 🙂

Yes indeed both pinned sites and TLS 1.3 will make life even more challenging and pushing more security to the endpoint itself.

Indeed, logging detail is the biggest challenge in our PoC. But else it seems to work quite ok. With exception of Trusted CA list updates, that part seems a bit wobbly

Marcel_Gramalla · ‎2021-04-26

Happy to share some opinions in the community. We are working with TAC on two cases with problems in Content Awareness - the last one was handled very fast and good (had some bad experiences in the past as well). In one server only environment we don't use Content or Identity Awareness and that makes life so much easier and was also very easy to deploy.

Regarding the Trusted CA issue in the other thread I have to say that I never experience any real world issues there. Have to check, if I can validate your findings. Maybe I will post some insight there tomorrow as well 🙂

Kaspars_Zibarts · ‎2021-04-27

These are the ones that I have added so far:

Are you a member of CheckMates?

"HTTPS lite" - would you trust it?