Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Yes. But I still use adblocker and webfilter to supplement and block in different ways for different reasons. I have all the ad categories checked off in the untangle apps and today they blocked 25 ads. pi-hole blocked 7324 as of this post today. Disclaimer though, things may be getting blocked before they hit the untangle apps.
I had Untangle with Adblocker ON and SSL Inspection and sadly it did nothing to prevent Ads... - Think that the App needs an update or a cool way to add blocklists like in Pi-Hole![]()
Web-Content Filter is super nice and a great feature but highly relies on SSL-Inspection to work as intended - Tested with https://www.sophostest.com/ - Without SSL Inspection all of that goes thru... -.-
Best regards
Val.
Funny... I just tried this site and sure enough, without SSL Inspector it all passes. However, I edited the URL to visit the non-https version on a category I do have blocked and Untangle didn't scream - the Sophos endpoint protection on my laptop did though... Maybe it's more as they say: This test site contains pages classified by SophosLabs for the purpose of testing our web security and control products. With the emphasis on our?
Screenshot 2020-06-06 at 20.23.20.png
Without doing any extensive testing, Web Filter does nothing with SSL Inspector enabled.
I realize that I'm not on the same page as knowledgable members here, but if Web Filter depends on SSL Inspector to see domains in HTTPS traffic, then the SNI and certificate features of Web Filter are all but meaningless. Web Filter must know the TLD at least to convert it to a category and check it against the enabled filters. So again, if, as some here argue, Web Filter is blind to domains in HTTPS requests, then the SNI and certificate features contribute little, if anything.
That said, testing against the Sophos test site doesn't establish things one way or another, since SSL Inspector makes no difference under the adult category, at least.
Hello @Sam Graf,
I did multiple tests with Webfilter and SSL Inspection does not effect Webfilter "I think" is wrong. Maybe I am wrong as well but why do I have a different result then?! My DNS is Untangle and my DNS Traffic is going forcefully to it as well. Thanks to the Portforward rule from the community.The other part that can effect DNS Traffic is DoH that can go over Port 853!
The reason is not only Adult Content but critical things like "Call Home" and multiple category's even the Eicar Test file had issues. I had better results with SSL Inspection on then without on multiple sites. I just referenced "Sophos Test Site" coz it is easy to reconstruct for all.
@Armshouse that is true but Untangle does a great job blocking ^^ I only had issues with SSL Inspector off...
Best regards
Val.
I think that’s an excellent question and point. We have a handful of views on how Web Filter works, or should work, we have inconsistent results as we do our individual tests, and it’s all very confusing.
My own opinion is the community needs to figure out a way to rigorously test Web Filter with repeatable results among different users/system configurations. For instance, I’m not sure Web Filter relies on DNS. I think it relies on a plaintext version of the URL and then looks it up in its own resource. But do I know that for sure? I don’t.
Lots of good questions here.
Web Filter monitors TCP sessions that terminate on 80 or 443. It's really not that complicated. It gathers what information it can, and filters with it. SSL Inspector (if configured correctly) provides more information.
That is all... There is no more, or no less to understand.
I do not find the use of SSL Inspector as worth the effort. Web Filter still works even if the client does DNS over TLS, because it doesn't need nor care about the DNS request the client made. All it cares about, is the HTTP/HTTPs sessions the browser makes to access the resource in question.
3rd party testing sites, such as the Sophos site linked here have a high frequency of building intentionally built to make the product they belong to look better than it actually is. And because the site is harmless, there's no reason for other vendors to mark said site as "malware" or whatever... so you can't use them to test against reliably.
Last edited by sky-knight; 06-06-2020 at 03:55 PM.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com