Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Josh_Wilson
Participant
Jump to solution

HTTPS inspection and Netflix

I am having difficulty preventing/blocking access to Netflix services. It appears that the HTTPS inspection blade does not try to or cannot properly inspect the HTTPS traffic to https://www.netflix.com and I am looking for some insight on how to resolve this or if it is possible.

I did come across this article explaining how Netflix has advanced their efforts in deploying TLS and suggests something proprietary has been done. Could this be related?

It wasn’t easy, but Netflix will soon use HTTPS to secure video streams | Ars Technica  

Has anyone else already struggled with this?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

View solution in original post

0 Kudos
8 Replies
Danny
Champion Champion
Champion

sk114419 describes what to do.

  1. Create network objects to represent ranges or networks on IP addresses used by "Netflix" clients.
  2. Configure the above network objects in the HTTPS Inspection Bypass rule.
  3. Install the policy.
0 Kudos
Josh_Wilson
Participant

I appreciate the response but wouldn't that SK provide an alternative method to bypassing HTTPS inspection? I actually want to be able to inspect the traffic properly so that I can accurately "block" access using the application layer.

0 Kudos
PhoneBoy
Admin
Admin

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

0 Kudos
Josh_Wilson
Participant

I think I understand. But without inspection, Netflix will pass through without any enforcement, correct?

0 Kudos
PhoneBoy
Admin
Admin

You will still have enforcement as it should be possible to tell it's Netflix traffic without doing HTTPS Inspection.

0 Kudos
Eric_Oakeson
Employee Alumnus
Employee Alumnus

I think I just found a fix for this one, you need to install the Symantec intermediate cert in to the HTTPS Inspection Trust CAs area. Once I did that, I stopped getting rejected for Netflix.

Here is Netflix getting rejected:

netflix rejected

Even though I told it to allow untrusted certificates in the HTTPS Validation configurations:

https validation

I looked through the certificate chain for https://www.netflix.com and there was this Intermediate cert in there:

netflix certificate chain

I went to Symantec and found that certificate (Symantec SSL Certificates Support ) and installed it as a Trusted CA in HTTPS Inspection:

netflix symantec cert installed

Once I did that, I was no longer getting rejected and this should also allow proper enforcement of Netflix as well. On a block rule I was also able to get the UserCheck page to appear, so HTTPS inspection is working properly now.

netflix usercheck

PhoneBoy
Admin
Admin

Great tip, thanks for sharing this with the community.

0 Kudos
Eric_Oakeson
Employee Alumnus
Employee Alumnus

Update from further testing, this works on Windows, Mac, and Android devices. Still seeing issues with Apple iOS devices as they use a different URL (ios.nccp.netflix.com) which seems to have cert issues of its own, so still be aware of that one. I haven't been able to get that working yet.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events