SSL/TLS decryption of HTTPS websites

You can control whether we decrypt websites to check them for your customers. If you choose to do this then your customers can't make changes.

Secure websites (HTTPS) are encrypted, so we can only scan the contents if you let us decrypt them.

However, you might want to exclude some or all sites from decryption. That's because decryption might let our product record personal information and show it in log entries.

If you turn decryption of HTTPS websites on, we may see and record personal information as follows:

• We see the full URL (including any additional parameters used by a GET request).
• We scan the contents, which may include Private Personal Information (PPI).
• If we detect a threat, we may send a sample to SophosLabs.

Firefox and decryption

Firefox uses its own certificate store and this affects decryption of HTTPS websites. They also use their own DNS servers instead of using the Windows DNS servers.

For our decryption to work correctly you need to tell Firefox to trust the Windows certificate store. To do this, do as follows:

1. Enter 'about:config' in the address bar and press Enter.

   A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.

2. Set 'security.enterprise_roots.enabled' to True.

   This tells Firefox to trust the Windows root certificate store.

You also need to tell Firefox to use your Windows DNS servers. This is important for web protection, as it allows us to see the Server Name Indication (SNI) information of an HTTPS session if HTTPS decryption is turned off. For help with this see Firefox DNS-over-HTTPS.

Turn decryption on or off

You can turn HTTPS decryption on or off for all websites in your Threat Protection policies. You need to change and push the policies that apply to the customers and their devices.

1. Click the Settings & Policies icon .
2. Under Global customer settings, click Global templates.

3. Select a template.

   Note

   This turns on SSL/TLS decryption for all customers in this template.

4. Click Base policies.

5. Under Endpoint Protection or Server Protection, click Threat Protection.

6. Under SSL/TLS decryption of HTTPS websites, turn on Decrypt HTTPS websites using SSL/TLS.

   If decryption is turned on in the Threat Protection policy of a device, it's also turned on for Web Control checks on that device.

7. In Base policies, click Push to customers.

8. In the Push to customers dialog, click Push to confirm.

Exclude websites from decryption

You can exclude some HTTPS websites or website categories from decryption to protect sensitive data.

We automatically block HTTPS websites that don't use TLS 1.2 or later. Most web browsers (Chrome, Firefox, Edge) also automatically block these pages.

If this happens you get a message saying "We've blocked access to this URL due to your policy. The encryption used by the server hosting this URL is insecure."

You can add an exclusion for these websites.

For information on Chrome removing TLS 1.0 and 1.1, see Feature: TLS 1.0 and TLS 1.1 (removed).

To exclude websites from decryption, do as follows:

1. Click the Settings & Policies icon .
2. Under Global customer settings, click Global templates.

3. Select a template.

   Note

   This excludes websites from decryption for all customers in this template.

4. Click Global settings and click SSL/TLS decryption of HTTPS.

5. Check the Categories excluded from HTTPS decryption.

   All the listed categories are excluded by default. You can turn off these exclusions, but you can't add or remove categories.

   To exclude specific sites, continue to the next step.

6. In Websites excluded from HTTPS decryption, click Add exclusion.

7. On the Add exclusion dialog, enter the following details:

   1. Enter a domain name, an IP address, or an IP address range.
   2. (Optional) Add a comment to remind you why you excluded the website.
   3. Click Add.

8. On the SSL/TLS decryption of HTTPS page, click Save.