This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Josh_Wilson
Participant
‎2017-09-08 06:17 AM
Jump to solution

HTTPS inspection and Netflix

I am having difficulty preventing/blocking access to Netflix services. It appears that the HTTPS inspection blade does not try to or cannot properly inspect the HTTPS traffic to https://www.netflix.com and I am looking for some insight on how to resolve this or if it is possible.

I did come across this article explaining how Netflix has advanced their efforts in deploying TLS and suggests something proprietary has been done. Could this be related?

It wasn’t easy, but Netflix will soon use HTTPS to secure video streams | Ars Technica  

Has anyone else already struggled with this?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2017-09-08 02:26 PM
In response to Josh_Wilson
Jump to solution

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

View solution in original post

0 Kudos
8 Replies
Danny
MVP Platinum
MVP Platinum
‎2017-09-08 12:53 PM
Jump to solution

sk114419 describes what to do.

  1. Create network objects to represent ranges or networks on IP addresses used by "Netflix" clients.
  2. Configure the above network objects in the HTTPS Inspection Bypass rule.
  3. Install the policy.
0 Kudos
Josh_Wilson
Participant
‎2017-09-08 01:08 PM
In response to Danny
Jump to solution

I appreciate the response but wouldn't that SK provide an alternative method to bypassing HTTPS inspection? I actually want to be able to inspect the traffic properly so that I can accurately "block" access using the application layer.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-09-08 02:26 PM
In response to Josh_Wilson
Jump to solution

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

0 Kudos
Josh_Wilson
Participant
‎2017-09-08 03:20 PM
In response to PhoneBoy
Jump to solution

I think I understand. But without inspection, Netflix will pass through without any enforcement, correct?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-09-08 03:33 PM
In response to Josh_Wilson
Jump to solution

You will still have enforcement as it should be possible to tell it's Netflix traffic without doing HTTPS Inspection.

0 Kudos
Eric_Oakeson
Employee Alumnus
Employee Alumnus
‎2017-11-22 10:01 AM
Jump to solution

I think I just found a fix for this one, you need to install the Symantec intermediate cert in to the HTTPS Inspection Trust CAs area. Once I did that, I stopped getting rejected for Netflix.

Here is Netflix getting rejected:

netflix rejected

Even though I told it to allow untrusted certificates in the HTTPS Validation configurations:

https validation

I looked through the certificate chain for https://www.netflix.com and there was this Intermediate cert in there:

netflix certificate chain

I went to Symantec and found that certificate (Symantec SSL Certificates Support ) and installed it as a Trusted CA in HTTPS Inspection:

netflix symantec cert installed

Once I did that, I was no longer getting rejected and this should also allow proper enforcement of Netflix as well. On a block rule I was also able to get the UserCheck page to appear, so HTTPS inspection is working properly now.

netflix usercheck

PhoneBoy
Admin
Admin
‎2017-11-22 10:05 AM
In response to Eric_Oakeson
Jump to solution

Great tip, thanks for sharing this with the community.

0 Kudos
Eric_Oakeson
Employee Alumnus
Employee Alumnus
‎2017-11-28 04:31 PM
In response to Eric_Oakeson
Jump to solution

Update from further testing, this works on Windows, Mac, and Android devices. Still seeing issues with Apple iOS devices as they use a different URL (ios.nccp.netflix.com) which seems to have cert issues of its own, so still be aware of that one. I haven't been able to get that working yet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events