Filter
Top Products
Firewall Settings > SSL Control
778
SonicOS 5.8.1 Administrator Guide
well-known application being HTTPS (HTTP over SSL). SSL provides digital certificate-based
endpoint identification, and cryptographic and digest-based confidentiality to network
communications.
An effect of the security provided by SSL is the obscuration of all payload, including the URL
(Uniform Resource Locator, for example, https://www.mysonicwall.com) being requested by a
client when establishing an HTTPS session. This is due to the fact that HTTP is transported
within the encrypted SSL tunnel when using HTTPS. It is not until the SSL session is
established (step 14, figure 1) that the actual target resource (www.mysonicwall.com) is
requested by the client, but since the SSL session is already established, no inspection of the
session data by the firewall or any other intermediate device is possible. As a result, URL based
content filtering systems cannot consider the request to determine permissibility in any way
other than by IP address.
While IP address based filtering does not work well for unencrypted HTTP because of the
efficiency and popularity of Host-header based virtual hosting (defined in Key Concepts below),
IP filtering can work effectively for HTTPS due to the rarity of Host-header based HTTPS sites.
But this trust relies on the integrity of the HTTPS server operator, and assumes that SSL is not
being used for deceptive purposes.
For the most part, SSL is employed legitimately, being used to secure sensitive
communications, such as online shopping or banking, or any session where there is an
exchange of personal or valuable information. The ever decreasing cost and complexity of SSL,
however, has also spurred the growth of more dubious applications of SSL, designed primarily
for the purposes of obfuscation or concealment rather than security.
An increasingly common camouflage is the use of SSL encrypted Web-based proxy servers for
the purpose of hiding browsing details, and bypassing content filters. While it is simple to block
well known HTTPS proxy services of this sort by their IP address, it is virtually impossible to
block the thousands of privately-hosted proxy servers that are readily available through a
1
2
3
4
5
6
7
8
9
10
11
12
15
13
14
16
Client
HTTPS Server
Client browses to http://www.mysonicwall.com
DNS resolves target to 64.41.140.173
Client Sends TCP SYN to 64.41.140.173 port 443.
Sever continues TCP setup with SYN/ACK
Client Sends ACK
Client Sends SSL Client Hello
Server Sends Server Hello
Server Sends ServerKeyExchange (Certificate)
Server Sends Server Hello Done
Client Sends ClientKeyExchange
Client Sends ChangeCipherSpec
Client Sends Encrypted Handshake message (Finished)
Server Sends ChangeCipherSpec
Server Sends Encrypted Handshake message (Finished)
Client Sends GET Request to www.mysonicwall.com (encrypted)
Server responds through SSL channel with data (encrypted).