Want to learn how to block HTTPS sites without SSL inspection? In this article, you will learn about how CurrentWare’s web filtering software BrowseControl blocks HTTPS sites without breaking encryption.
BrowseControl is an agent-based web content filtering software that can block websites without SSL inspection. Simply install the client on the endpoints you want to manage, select the users or computers you want to restrict, and add the desired URLs or content categories to the block list.
BrowseControl supports simple HTTPS filtering settings for domain-level site blocking and advanced HTTPS filtering for full URL blocking.
The web restriction technologies used by BrowseControl are…
These technologies are ideal if you want to block HTTPS websites in your network without SSL inspection. Get started today with a free 14-day trial of BrowseControl.
BrowseControl’s granular internet blocking features allow you to configure unique settings for each of your users or computers.
Simply place the users or devices you would like to control into their own policy groups and add the specific sites you would like to allow or block to the URL and category lists.
This level of granularity is ideal when an administrator wants to block websites for some users while allowing them for others. For example, social media sites can be blocked for all employees that are not a part of the marketing team.
BrowseControl includes a default list of the most common browsers (Google Chrome, Mozilla Firefox, Microsoft Edge Chromium, Microsoft Internet Explorer, Opera, Safari, etc). If you would like to block internet access from any other browser or application with browsing capabilities you can add them to the filtering list.
Any enterprise internet restriction solution must be implemented in a scalable way.
BrowseControl and the other software solutions in the CurrentWare Suite support Windows Active Directory Import and Sync, allowing you to use the exact same Windows AD organizational units and hierarchy that you’re used to.
From the convenient central console you can manage internet blocking settings for your entire workforce, saving you countless hours of support and maintenance.
When you simply want to block websites, a web filter is far easier to manage than a firewall.
With BrowseControl all you need to do to block a website is add the specific sites you want to block to the Block List. There’s no need to configure multiple policy entries, set up your own internal certificate authority (CA), track down a multitude of IP addresses, and be forced to block the same websites for every computer and employee in your environment.
With BrowseControl’s Category Filtering feature, you can easily block millions of websites across over 100 URL categories including Social Media, Pornography, Virus Infected, and Phishing sites. 10,000+ new domains are added each day, allowing you to simply select the types of websites you want to block.
The URL filter even allows you to import a list of URLs from a .csv or .txt file, allowing you to migrate your existing website lists into BrowseControl.
A network-based firewall configuration cannot protect a device once it goes off-site. BrowseControl’s software client continues to block sites using the last known policies until a connection to the CurrentWare server can be reestablished.
Any new site settings changes will take effect once a connection between the CurrentWare Client and CurrentWare Server is established. This reconnection can happen through a VPN, port forwarding through a public static IP address, or other remote connection options.
The Tennessee College of Applied Technology (TCAT) is one of the best technological educational institutions in the Tennessee area. To keep delivering a cutting-edge learning experience, they knew that they needed to integrate online resources into their curriculums and teaching methods.
But allowing internet access is not without its risks. As an IT instructor, Gabriel Alvarado is adamant that educational institutions need to defend against unauthorized access to personal information belonging to pupils, parents, or staff.
Gabriel knew that restricting internet access with blocking software was essential for protecting against web-based threats. In addition to improving security, BrowseControl provided TCAT’s students with an optimal educational experience by blocking distracting websites during class hours and preventing bandwidth hogs from impacting the performance of the network.
BrowseControl’s remote installation options and central management console made it the best filtering software for TCAT as they could deploy the software during the school term rather than having to wait until the holidays. Staff and user accounts could be readily distinguished, allowing filtering policies to be customized to the needs of each group.
“Exposing students to the digital world comes with a responsibility to protect them. And as well as keeping our students safe, we also need to keep our system safe! Students aren’t always aware of the dangerous consequences of their online actions, so there is always a risk of harmful behavior.”
Gabriel Alvarado, CIS/CIT Instructor, TCAT Crump
“SSL/TLS Inspection or HTTPS Interception is the process of intercepting SSL/TLS encrypted internet communication between the client and server…It’s the same technique used in man-in-the-middle (MiTM) attacks.” – Article by cybersecurity writer Jay Thakkar
Enterprise network monitoring products that include a firewall, SSL proxy, or related technology will use SSL inspection to convert HTTPS to HTTP in order to determine whether or not a given site should be added to a blacklist based on the exact contents on the page.
Synonyms for SSL inspection and similar HTTPS inspection techniques include HTTPS DPI (deep packet inspection), SSL decryption, HTTPS interception, Transport Layer Security Inspection (TLSI), Transport Layer Security (TLS) break and inspect, SSL Stripping (when used maliciously), and man-in-the-middle attack (when used maliciously).
In contrast, a URL filter such as BrowseControl will block websites based on a known URL, IP address, or domain without the need to break encryption.
SSL inspection is not without its risks. For example, depending on the configuration and settings of the SSL Inspection solutions the HTTPS content could be inadvertently made available to external sources.
The forced decryption and reencryption of HTTPS traffic also introduces liability issues as the company performing the SSL inspection (a non-malicious man-in-the-middle attack) is now responsible for the privacy and cybersecurity impacts of the now-HTTP traffic.
The Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released warnings about the risks of decrypting network traffic.
In addition, a 2017 study warns that SSL inspection can do more harm than good. This study involved several authoritative researchers including Richard Barnes of the Internet Security Research Group and Nick Sullivan, Head of Cryptography at Cloudflare.
The study shows 62% of middlebox connections were less secure and an astounding 58% had severe vulnerabilities that enabled later interception.
“In the US, enterprises operating TLSI capabilities are subject to privacy laws, policies, and regulations. Enterprises should be aware of applicable requirements (e.g. for financial, health, and attorney-client privileged data) and configure TLSI to prevent unauthorized exposure of data.” – The NSA
While monitoring employee computer use is perfectly legal in the majority of jurisdictions, Breaking encryption allows the administrator to see more than just the URL of the website the employee is visiting.
With HTTPS intact any sensitive information such as credit card numbers, usernames, and passwords will not be visible to third parties. However, with SSL inspection the information is forced to be sent in clear text over HTTP.
This process is incredibly invasive if an employee visits a website where they may reveal sensitive information (such as a banking, eCommerce, or healthcare website). While many network monitoring products will exclude any site that is known to contain sensitive information there is still a risk of misuse or misconfiguration leading to a data leak.
CISA Alert TA17-075A notes many potential risks caused by converting HTTPS to HTTP in corporate networks.
“Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.”
“Many HTTPS inspection products do not properly verify the certificate chain of the server before re-encrypting and forwarding client data, allowing the possibility of a MiTM attack.”
“Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.”
The NSA also notes that “The primary risk involved with TLSI’s embedded CA is the potential abuse of the CA to issue unauthorized certificates trusted by the TLS clients. Abuse of a trusted CA can allow an adversary to sign malicious code to bypass host IDS/IPSs or to deploy malicious services that impersonate legitimate enterprise services or external servers to the clients.”
These risks aren’t theoretical, either. The TURKTRUST SSL certificate fiasco of 2011 demonstrates how trusted certificate authorities (CA) can accidentally or maliciously issue intermediate certificates that can be abused by threat actors.
Any technology that uses decryption to block a site is going to require substantial resources and most businesses are not equipped to inspect encrypted traffic at scale. Constantly decrypting and encrypting traffic impacts network performance, and mitigating these performance impacts requires additional hardware that may not be feasible for most environments.
If you simply want to keep a site blocked in your network, a basic web filter with a block list (blacklist) is all you need. The added administrative overhead is only a worthwhile tradeoff if HTTPS inspection is a requirement for your environment.
SSL inspection can break website functionality in ways that are difficult to troubleshoot. For example, switching user accounts in Google may stop working, or you’ll be prevented from logging in to certain sites, or images may stop loading on certain sites, etc.
To use SSL inspection properly you need to configure your own internal certificate authority infrastructure or export a self-signed certificate from the firewall and install it on every client.
While the various related categories of HTTPS decryption may be far more than necessary to block specific sites, I’d like to note the practical use cases for the technology.
Web filters will block any website that is added to the block list (blacklist). This is ideal when the address of a given unwanted website is known, but it will only block domains that are on the block list.
Should an employee click on a link and visit a malicious website that is not already blocked they risk introducing malware to their computer or falling for a phishing scam. SSL inspection tools allow enterprises to dynamically decrypt traffic, inspect the decrypted content for threats, and then re-encrypt it before it enters or leaves the network.
Web restriction software is the ideal tool for blocking websites without SSL inspection. Breaking encryption and performing deep packet inspection should be reserved for advanced threat protection in environments where HTTPS inspection is a requirement.
Ready to start blocking HTTPS websites? Get a FREE trial of BrowseControl, CurrentWare’s internet restriction software.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |