SSL/TLS decryption of HTTPS websites

You can control whether we decrypt websites to check them for your customers. If you choose to do this then your customers can't make changes.

Secure websites (HTTPS) are encrypted, so we can only scan the contents if you let us decrypt them.

However, you might want to exclude some or all sites from decryption. That's because decryption might let our product record personal information and show it in log entries.

If you turn decryption of HTTPS websites on, we may see and record personal information as follows:

• We see the full URL (including any additional parameters used by a GET request).
• We scan the contents, which may include Private Personal Information (PPI).
• If we detect a threat, we may send a sample to SophosLabs.

Firefox and decryption

Firefox uses its own certificate store and this affects decryption of HTTPS websites. They also use their own DNS servers instead of using the Windows DNS servers.

For our decryption to work correctly you need to tell Firefox to trust the Windows certificate store. To do this, do as follows:

1. Enter 'about:config' in the address bar and press Enter.

   A warning page may appear. Click Accept the Risk and Continue to go to the about:config page.

2. Set 'security.enterprise_roots.enabled' to True.

   This tells Firefox to trust the Windows root certificate store.

You also need to tell Firefox to use your Windows DNS servers. This is important for web protection, as it allows us to see the Server Name Indication (SNI) information of an HTTPS session if HTTPS decryption is turned off. For help with this see Firefox DNS-over-HTTPS.

Turn decryption on or off

You can turn HTTPS decryption on or off for all websites in your Threat Protection policies. You need to change and push the policies that apply to the customers and their devices.

1. Go to Settings & Policies > Global Templates.
2. Select the template you want to change or clone one to create a new template.
3. Check the customers you want are associated with the template.
4. Click Base Policies.
5. Go to Endpoint: Threat Protection or Server: Threat Protection.

6. Edit the setting for SSL/TLS decryption of HTTPS websites.

   If decryption is on in the Threat Protection policy that applies to a device, it's also on for Web Control checks on that device.

7. Push the template.

Exclude websites from decryption

You can exclude some HTTPS websites or website categories from decryption to protect sensitive data.

We automatically block HTTPS websites that don't use TLS 1.2 or later. Most web browsers (Chrome, Firefox, Edge) also automatically block these pages.

If this happens you get a message saying "We've blocked access to this URL due to your policy. The encryption used by the server hosting this URL is insecure."

You can add an exclusion for these websites.

For information on Chrome removing TLS 1.0 and 1.1, see Feature: TLS 1.0 and TLS 1.1 (removed).

To exclude websites from decryption, do as follows:

1. Go to Settings & Policies > Global Templates.
2. Select the template you want to change or clone one to create a new template.
3. Click SSL/TLS decryption of HTTPS websites.

4. Check the Categories excluded from HTTPS decryption.

   All the listed categories are excluded by default. You can turn these exclusions off, but you can't add or remove categories.

   To exclude specific sites, continue to the next step.

5. In Websites excluded from HTTPS decryption, click Add exclusion.

6. On the Add exclusion dialog, enter details of the website.

   1. Enter a domain name, an IP address, or an IP address range.
   2. Optional: Add a comment to remind you why you excluded the site.
   3. Click Add.