SSL Decryption/Inspection

Follow

With version 3.5.3, Sonar now has the ability to do SSL Decryption/Inspection, something that has been a highly requested feature for us in the past. With more and more of the World Wide Web opting to go HTTPS, we thought it was finally time to do something about it.  

WHY?

As mentioned above, with the majority of the internet going HTTPS, it's getting harder and harder to track and report on a user's usage. With this feature for Sonar, you will be able to catch, track, block and report on data from popular SSL sites like Google, YouTube and Social Media websites.

IS IT COMPULSORY?

Absolutely not. You're free to continue to use Sonar without SSL Decryption, and truth be told, your Sonar will most likely perform better without it. SSL Decryption increases the system load on Sonar due to it having to decrypt traffic for users. The more you decrypt, the slower the Sonar will perform.

HOW DOES IT WORK?

Sonar's SSL Inspection comes in three stages: Light, Medium and Heavy. These are set up as "basic" templates for Sonar users, but are still fully customisable (you can add/remove categories for SSL Inspection freely).

  1. Light - Focuses only on Search Engines and Streaming Media such as Google/Bing Search results as well as YouTube.
  2. Medium - Focuses on Search Engines and Streaming media, but also includes Webmail, Chat and Social Networking.
  3. Heavy - Focuses on decrypting everything, except anything relating to banking and finance. 

HOW DO I ENABLE SSL INSPECTION?

Enabling SSL Inspection is quite a simple process, running basically the same as enabling Site Filtering. It works in a similar way as well, using the Cyren Filtering Categories to determine what sites to decrypt or not decrypt (exceptions). As with Site Filtering, you create custom lists and place in specific domains that you want to inspect. In the example below, categories on the left-hand side are sites which are currently beingdecrypted, whereas categories on the right-hand side are not (categories that are excepted from inspection).  

*Important Note* SSL Inspection will not work without the installation of a certificate. See below for more details. 

CERTIFICATES & SSL ONBOARDING

If SSL Inspection is enabled, but users have not yet installed Sonar's self-signed certificate, then SSL Inspection will not work. Users will get a certificate error like the one below:

This is where Sonar's Onboarding feature comes into play. Onboarding can be enabled from the Group Settings, and provides an easy way to assist users in installing the self-signed certificate. Onboarding is able to detect what OS a user is using, whether it be iOS, OSX, Windows, or Android, and provide easy-to-follow instructions to guide the user into correctly installing the Certificate. Onboarding is also responsible for checking that the user has the Certificate installed after each log on, but this can also be adjusted.

HOW DOES ONBOARDING WORK?

Onboarding basically does a check for Sonar's Certificate when a user attempts to launch the browser. If it doesn't detect the Certificate, it provides instructions relative to the user's OS on how to install it. If Onboarding detects the Certificate and it is valid, it will bypass the Onboarding page and take them to the Internet. Below is an example of what the Onboarding page looks like:

Different Operating Systems will have different methods to installing a Certificate. But in most cases, the Certificate must be installed in the Trusted Root section of the Certificate Store.

For more information on certificate deployment see this article.

HOW DO I KNOW SSL INSPECTION IS WORKING?

If you've followed all the instructions up until this point, and are confident that you've done things right, you're ready to test the SSL Inspection module! If the Certificate has been successfully imported into the Trust Root Authorities Store, and you have enabled the categories you want to Inspect in the Group Privileges, you can open up Monitor -> User with the User you're testing with and start monitoring their web usage. If you start to see the full URL for HTTPS sites, that is an indicator that SSL Inspection is working. In the example below, we see the full URL for Google Searches, despite the traffic being encrypted. 

HOW CAN I RUN REPORTS?

Running reports is no different from running a report on a Sonar not doing SSL Inspection. Your results will just simply show more information when it comes to HTTPS websites, as opposed to just the domain. There are a few extra reports you can take advantage of however that can only be run if you're doing SSL Inspection.

  • YouTube Report - this report will show which YouTube videos a user has visited/viewed in the time period you specify. The report contains the name and thumbnail of the video, the user, the IP and the date and time. The image below shows an example report:

  • Search Engine Report - this report will show you what users have been searching for in Search Engines such as Google, Bing or Yahoo, filtering out all the other useless information from the URL, it will provide you with the search term, the username, the IP Address and which Search Engine they used. Below is an example report:  

KNOWN ISSUES

While SSL Inspection works well if configured correctly, there is one (so far) notable issue that we have encountered that may affect some users. 

  1. Chrome on iOS does not support self-signed Certificates - Users will often get the certificate error page when browsing to SSL sites whilst going through Sonar's Proxy with SSL Inspection enabled. This is a Google issue and not within our power to fix. However, we have received reports that this issue is resolved in iOS 9. Safari on iOS has no issues however. 

 

Have more questions? Submit a request

Comments

Powered by Zendesk