- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- HTTPS inspection and Netflix
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTPS inspection and Netflix
I am having difficulty preventing/blocking access to Netflix services. It appears that the HTTPS inspection blade does not try to or cannot properly inspect the HTTPS traffic to https://www.netflix.com and I am looking for some insight on how to resolve this or if it is possible.
I did come across this article explaining how Netflix has advanced their efforts in deploying TLS and suggests something proprietary has been done. Could this be related?
It wasn’t easy, but Netflix will soon use HTTPS to secure video streams | Ars Technica
Has anyone else already struggled with this?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.
In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk114419 describes what to do.
- Create network objects to represent ranges or networks on IP addresses used by "Netflix" clients.
- Configure the above network objects in the HTTPS Inspection Bypass rule.
- Install the policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I appreciate the response but wouldn't that SK provide an alternative method to bypassing HTTPS inspection? I actually want to be able to inspect the traffic properly so that I can accurately "block" access using the application layer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.
In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I understand. But without inspection, Netflix will pass through without any enforcement, correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will still have enforcement as it should be possible to tell it's Netflix traffic without doing HTTPS Inspection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I just found a fix for this one, you need to install the Symantec intermediate cert in to the HTTPS Inspection Trust CAs area. Once I did that, I stopped getting rejected for Netflix.
Here is Netflix getting rejected:
Even though I told it to allow untrusted certificates in the HTTPS Validation configurations:
I looked through the certificate chain for https://www.netflix.com and there was this Intermediate cert in there:
I went to Symantec and found that certificate (Symantec SSL Certificates Support ) and installed it as a Trusted CA in HTTPS Inspection:
Once I did that, I was no longer getting rejected and this should also allow proper enforcement of Netflix as well. On a block rule I was also able to get the UserCheck page to appear, so HTTPS inspection is working properly now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great tip, thanks for sharing this with the community.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update from further testing, this works on Windows, Mac, and Android devices. Still seeing issues with Apple iOS devices as they use a different URL (ios.nccp.netflix.com) which seems to have cert issues of its own, so still be aware of that one. I haven't been able to get that working yet.