HTTPS without MITM

Hammer
Getting noticed

HTTPS without MITM

Hi.

 

I'm looking at using an MX as a web filter but the network will be used primarily as a guest network. This means I don't want to and can't install the root cert on devices. A lot of firewall vendors support HTTPS filtering using methods such as reviewing the name on the certificate instead of actually inspecting the traffic by doing a MITM. Does the MX offer any such features, aside from Cisco Umbrella?

 

Thanks.

4 Replies 4
Nash
Kind of a big deal

The content filtering is URL-based and doesn't care about packet contents.

 

I don't believe the MX will perform certificate inspection this way.

 

I certainly do not recommend using it for HTTPS inspection, since it makes your throughput go to pot as well as the MITM issue.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Does the MX offer any such features

 

Yes.  When a web browser initially connects to an https site it sends a "connect" message in plain text with the domain name it wants to talk to.

When a server is configured to use SNI the server uses this connect message to decide which certificate to use to present to the client.  After this the connection goes encryted.

Hammer
Getting noticed

Hi @PhilipDAth 

 

Thank you for confirming this. I haven't been able to find any documentation on it. Is it just part of the standard web filtering or is there anything extra to enable?

 

Also, is the behaviour that you describe affected by HSTS pre-loading?

 

Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

Nothing extra to enable.

 

I don't know about HSTS.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels