How to Block HTTPS Sites Without SSL Inspection
Want to learn how to block HTTPS sites without SSL inspection? In this article, you will learn about how CurrentWare’s web filtering software BrowseControl blocks HTTPS sites without breaking encryption.
Use BrowseControl to Block HTTPS Websites Without Breaking Encryption
BrowseControl is an agent-based web content filtering software that can block websites without SSL inspection. Simply install the client on the endpoints you want to manage, select the users or computers you want to restrict, and add the desired URLs or content categories to the block list.
BrowseControl supports simple HTTPS filtering settings for domain-level site blocking and advanced HTTPS filtering for full URL blocking.
The web restriction technologies used by BrowseControl are…
- Windows Filtering Platform (WFP) for clients running Windows Vista and later, and on servers running Windows Server 2008 and later
- Winsock Layered Service Provider (LSP) for legacy Microsoft operating systems
- Microsoft UI Automation (UIA) allows and blocks websites based on the URLs typed in the address bar of web browsers.
These technologies are ideal if you want to block HTTPS websites in your network without SSL inspection. Get started today with a free 14-day trial of BrowseControl.
Block Any Domain, IP Address, or Specific URL Based on Users and Devices
BrowseControl’s granular internet blocking features allow you to configure unique settings for each of your users or computers.
Simply place the users or devices you would like to control into their own policy groups and add the specific sites you would like to allow or block to the URL and category lists.
This level of granularity is ideal when an administrator wants to block websites for some users while allowing them for others. For example, social media sites can be blocked for all employees that are not a part of the marketing team.
Filter Websites Across Any Web Browser
BrowseControl includes a default list of the most common browsers (Google Chrome, Mozilla Firefox, Microsoft Edge Chromium, Microsoft Internet Explorer, Opera, Safari, etc). If you would like to block internet access from any other browser or application with browsing capabilities you can add them to the filtering list.
Convenient Central Console With Active Directory Import & Sync
Any enterprise internet restriction solution must be implemented in a scalable way.
BrowseControl and the other software solutions in the CurrentWare Suite support Windows Active Directory Import and Sync, allowing you to use the exact same Windows AD organizational units and hierarchy that you’re used to.
From the convenient central console you can manage internet blocking settings for your entire workforce, saving you countless hours of support and maintenance.
Block Millions of HTTP and HTTPS Websites in Just a Few Clicks
When you simply want to block websites, a web filter is far easier to manage than a firewall.
With BrowseControl all you need to do to block a website is add the specific sites you want to block to the Block List. There’s no need to configure multiple policy entries, set up your own internal certificate authority (CA), track down a multitude of IP addresses, and be forced to block the same websites for every computer and employee in your environment.
With BrowseControl’s Category Filtering feature, you can easily block millions of websites across over 100 URL categories including Social Media, Pornography, Virus Infected, and Phishing sites. 10,000+ new domains are added each day, allowing you to simply select the types of websites you want to block.
The URL filter even allows you to import a list of URLs from a .csv or .txt file, allowing you to migrate your existing website lists into BrowseControl.
Block HTTPS Sites for Remote Users
A network-based firewall configuration cannot protect a device once it goes off-site. BrowseControl’s software client continues to block sites using the last known policies until a connection to the CurrentWare server can be reestablished.
Any new site settings changes will take effect once a connection between the CurrentWare Client and CurrentWare Server is established. This reconnection can happen through a VPN, port forwarding through a public static IP address, or other remote connection options.
Case Study: TCAT Takes Control of Student Internet Use
The Tennessee College of Applied Technology (TCAT) is one of the best technological educational institutions in the Tennessee area. To keep delivering a cutting-edge learning experience, they knew that they needed to integrate online resources into their curriculums and teaching methods.
But allowing internet access is not without its risks. As an IT instructor, Gabriel Alvarado is adamant that educational institutions need to defend against unauthorized access to personal information belonging to pupils, parents, or staff.
Gabriel knew that restricting internet access with blocking software was essential for protecting against web-based threats. In addition to improving security, BrowseControl provided TCAT’s students with an optimal educational experience by blocking distracting websites during class hours and preventing bandwidth hogs from impacting the performance of the network.
BrowseControl’s remote installation options and central management console made it the best filtering software for TCAT as they could deploy the software during the school term rather than having to wait until the holidays. Staff and user accounts could be readily distinguished, allowing filtering policies to be customized to the needs of each group.
“Exposing students to the digital world comes with a responsibility to protect them. And as well as keeping our students safe, we also need to keep our system safe! Students aren’t always aware of the dangerous consequences of their online actions, so there is always a risk of harmful behavior.”
Gabriel Alvarado, CIS/CIT Instructor, TCAT Crump
What is SSL Inspection?
“SSL/TLS Inspection or HTTPS Interception is the process of intercepting SSL/TLS encrypted internet communication between the client and server…It’s the same technique used in man-in-the-middle (MiTM) attacks.” – Article by cybersecurity writer Jay Thakkar
Enterprise network monitoring products that include a firewall, SSL proxy, or related technology will use SSL inspection to convert HTTPS to HTTP in order to determine whether or not a given site should be added to a blacklist based on the exact contents on the page.
Synonyms for SSL inspection and similar HTTPS inspection techniques include HTTPS DPI (deep packet inspection), SSL decryption, HTTPS interception, Transport Layer Security Inspection (TLSI), Transport Layer Security (TLS) break and inspect, SSL Stripping (when used maliciously), and man-in-the-middle attack (when used maliciously).
In contrast, a URL filter such as BrowseControl will block websites based on a known URL, IP address, or domain without the need to break encryption.
The Risks of Using SSL Inspection for Web Filtering
SSL inspection is not without its risks. For example, depending on the configuration and settings of the SSL Inspection solutions the HTTPS content could be inadvertently made available to external sources.
The forced decryption and reencryption of HTTPS traffic also introduces liability issues as the company performing the SSL inspection (a non-malicious man-in-the-middle attack) is now responsible for the privacy and cybersecurity impacts of the now-HTTP traffic.
The Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released warnings about the risks of decrypting network traffic.
In addition, a 2017 study warns that SSL inspection can do more harm than good. This study involved several authoritative researchers including Richard Barnes of the Internet Security Research Group and Nick Sullivan, Head of Cryptography at Cloudflare.
The study shows 62% of middlebox connections were less secure and an astounding 58% had severe vulnerabilities that enabled later interception.
Privacy & Liability Risks
“In the US, enterprises operating TLSI capabilities are subject to privacy laws, policies, and regulations. Enterprises should be aware of applicable requirements (e.g. for financial, health, and attorney-client privileged data) and configure TLSI to prevent unauthorized exposure of data.” – The NSA
While monitoring employee computer use is perfectly legal in the majority of jurisdictions, Breaking encryption allows the administrator to see more than just the URL of the website the employee is visiting.
With HTTPS intact any sensitive information such as credit card numbers, usernames, and passwords will not be visible to third parties. However, with SSL inspection the information is forced to be sent in clear text over HTTP.
This process is incredibly invasive if an employee visits a website where they may reveal sensitive information (such as a banking, eCommerce, or healthcare website). While many network monitoring products will exclude any site that is known to contain sensitive information there is still a risk of misuse or misconfiguration leading to a data leak.
Network Security Risks
CISA Alert TA17-075A notes many potential risks caused by converting HTTPS to HTTP in corporate networks.
“Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.”
“Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack.”
“Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.”
The NSA also notes that “The primary risk involved with TLSI’s embedded CA is the potential abuse of the CA to issue unauthorized certificates trusted by the TLS clients. Abuse of a trusted CA can allow an adversary to sign malicious code to bypass host IDS/IPSs or to deploy malicious services that impersonate legitimate enterprise services or external servers to the clients.”
These risks aren’t theoretical, either. The TURKTRUST SSL certificate fiasco of 2011 demonstrates how trusted certificate authorities (CA) can accidentally or maliciously issue intermediate certificates that can be abused by threat actors.
Degraded Network Performance
Any technology that uses decryption to block a site is going to require substantial resources and most businesses are not equipped to inspect encrypted traffic at scale. Constantly decrypting and encrypting traffic impacts network performance, and mitigating these performance impacts requires additional hardware that may not be feasible for most environments.
Difficulty of Management
If you simply want to keep a site blocked in your network, a basic web filter with a block list (blacklist) is all you need. The added administrative overhead is only a worthwhile tradeoff if HTTPS inspection is a requirement for your environment.
SSL inspection can break website functionality in ways that are difficult to troubleshoot. For example, switching user accounts in Google may stop working, or you’ll be prevented from logging in to certain sites, or images may stop loading on certain sites, etc.
To use SSL inspection properly you need to configure your own internal certificate authority infrastructure or export a self-signed certificate from the firewall and install it on every client.
What is SSL Inspection Used For?
While the various related categories of HTTPS decryption may be far more than necessary to block specific sites, I’d like to note the practical use cases for the technology.
Web filters will block any website that is added to the block list (blacklist). This is ideal when the address of a given unwanted website is known, but it will only block domains that are on the block list.
Should an employee click on a link and visit a malicious website that is not already blocked they risk introducing malware to their computer or falling for a phishing scam. SSL inspection tools allow enterprises to dynamically decrypt traffic, inspect the decrypted content for threats, and then re-encrypt it before it enters or leaves the network.
Conclusion
Web restriction software is the ideal tool for blocking websites without SSL inspection. Breaking encryption and performing deep packet inspection should be reserved for advanced threat protection in environments where HTTPS inspection is a requirement.
Ready to start blocking HTTPS websites? Get a FREE trial of BrowseControl, CurrentWare’s internet restriction software.
