Skip to content

SSL/TLS decryption of HTTPS websites

You can control whether we decrypt websites to check them.

Secure websites (HTTPS) are encrypted, so we can only scan the contents if you let us decrypt them.

However, you might want to exclude some or all sites from decryption. That's because decryption might let our product record personal information and show it in log entries.

If you turn decryption of HTTPS websites on, we may see and record personal information as follows:

  • We see the full URL (including any additional parameters used by a GET request).
  • We scan the contents, which may include Private Personal Information (PPI).
  • If we detect a threat, we may send a sample to SophosLabs.

Firefox and decryption

Firefox uses its own certificate store and this affects decryption of HTTPS websites. They also use their own DNS servers instead of using the Windows DNS servers.

For our decryption to work correctly on Windows, you need to tell Firefox to trust the Windows certificate store. To do this, do as follows:

  1. Enter 'about:config' in the address bar and press Enter.

    A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.

  2. Set 'security.enterprise_roots.enabled' to True.

    This tells Firefox to trust the Windows root certificate store.

You also need to tell Firefox to use your Windows DNS servers. This is important for web protection, as it allows us to see the Server Name Indication (SNI) information of an HTTPS session if HTTPS decryption is turned off. For help with this see Firefox DNS-over-HTTPS.

Turn decryption on or off

You can turn HTTPS decryption on or off for all websites in your Threat Protection policies for endpoint computers or servers.

By default, HTTPS decryption is off for endpoint computers.

  1. Go to My Products > Endpoint or Server.
  2. Click Policies.
  3. Click the Threat Protection policy you want and edit the setting for SSL/TLS decryption of HTTPS websites.

    If decryption is on in the Threat Protection policy that applies to a device, it's also on for Web Control checks on that device.

Exclude websites from decryption

You can exclude some HTTPS websites or website categories from decryption to protect sensitive data.

We automatically block HTTPS websites that don't use TLS 1.2 or later. Most web browsers (Chrome, Firefox, Edge) also automatically block these pages.

If this happens you get a message saying "We've blocked access to this URL due to your policy. The encryption used by the server hosting this URL is insecure."

Insecure URL message.

You can add an exclusion for these websites.


If you exclude websites, some settings in your Threat Protection and Web Control policies (scanning downloads or blocking risky file types) won't apply to them. However, we'll do checks that don't need decryption.

For information on Chrome removing TLS 1.0 and 1.1, see Feature: TLS 1.0 and TLS 1.1 (removed).

To exclude websites from decryption, do as follows:

  1. Go to My Products > General Settings.
  2. Under General, click SSL/TLS decryption of HTTPS websites.

    General Settings page.

  3. Check the Categories excluded from HTTPS decryption. All the listed categories are excluded by default. You can turn these exclusions off, but you can't add or remove categories.

    To exclude specific sites, continue to the next step.

    Exclusions section on SSL/TLS decryption page.

  4. In Websites excluded from HTTPS decryption, click Add exclusion.

    "Add exclusion" button.

  5. On the Add exclusion dialog, enter details of the website.

    1. Enter a domain name, an IP address, or an IP address range. For examples, see Website exclusions.
    2. Optional: Add a comment to remind you why you excluded the site.
    3. Click Add.

    "Add exclusion" dialog.