cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

HTTPS inspection and Netflix

Jump to solution

I am having difficulty preventing/blocking access to Netflix services. It appears that the HTTPS inspection blade does not try to or cannot properly inspect the HTTPS traffic to https://www.netflix.com and I am looking for some insight on how to resolve this or if it is possible.

I did come across this article explaining how Netflix has advanced their efforts in deploying TLS and suggests something proprietary has been done. Could this be related?

It wasn’t easy, but Netflix will soon use HTTPS to secure video streams | Ars Technica  

Has anyone else already struggled with this?

0 Kudos
1 Solution

Accepted Solutions
Admin
Admin

Re: HTTPS inspection and Netflix

Jump to solution

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

0 Kudos
8 Replies
Danny
Pearl

Re: HTTPS inspection and Netflix

Jump to solution

sk114419 describes what to do.

  1. Create network objects to represent ranges or networks on IP addresses used by "Netflix" clients.
  2. Configure the above network objects in the HTTPS Inspection Bypass rule.
  3. Install the policy.
0 Kudos

Re: HTTPS inspection and Netflix

Jump to solution

I appreciate the response but wouldn't that SK provide an alternative method to bypassing HTTPS inspection? I actually want to be able to inspect the traffic properly so that I can accurately "block" access using the application layer.

0 Kudos
Admin
Admin

Re: HTTPS inspection and Netflix

Jump to solution

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

0 Kudos

Re: HTTPS inspection and Netflix

Jump to solution

I think I understand. But without inspection, Netflix will pass through without any enforcement, correct?

0 Kudos
Admin
Admin

Re: HTTPS inspection and Netflix

Jump to solution

You will still have enforcement as it should be possible to tell it's Netflix traffic without doing HTTPS Inspection.

0 Kudos
Highlighted
Employee+
Employee+

Re: HTTPS inspection and Netflix

Jump to solution

I think I just found a fix for this one, you need to install the Symantec intermediate cert in to the HTTPS Inspection Trust CAs area. Once I did that, I stopped getting rejected for Netflix.

Here is Netflix getting rejected:

netflix rejected

Even though I told it to allow untrusted certificates in the HTTPS Validation configurations:

https validation

I looked through the certificate chain for https://www.netflix.com and there was this Intermediate cert in there:

netflix certificate chain

I went to Symantec and found that certificate (Symantec SSL Certificates Support ) and installed it as a Trusted CA in HTTPS Inspection:

netflix symantec cert installed

Once I did that, I was no longer getting rejected and this should also allow proper enforcement of Netflix as well. On a block rule I was also able to get the UserCheck page to appear, so HTTPS inspection is working properly now.

netflix usercheck

Admin
Admin

Re: HTTPS inspection and Netflix

Jump to solution

Great tip, thanks for sharing this with the community.

0 Kudos
Employee+
Employee+

Re: HTTPS inspection and Netflix

Jump to solution

Update from further testing, this works on Windows, Mac, and Android devices. Still seeing issues with Apple iOS devices as they use a different URL (ios.nccp.netflix.com) which seems to have cert issues of its own, so still be aware of that one. I haven't been able to get that working yet.

0 Kudos