topic Re: can we identify an https web-site category reading certs cn name part as fortigate do ? in General Topics

can we identify an https web-site category reading certs cn name part as fortigate do ?

Yavuz_Ozdemir — Wed, 09 Sep 2015 20:27:04 GMT

hi i asked my question in title of my message i also wonder what is the danger of doing this kind of categorization , why don't we prefer this ?

Re: can we identify an https web-site category reading certs cn name part as fortigate do ?

gwesson — Wed, 09 Sep 2015 22:36:14 GMT

This is done automatically.

If you are not doing SSL decryption, the firewall will use two mechanisms to determine the site category:

The client often will send a Server Name extension in their Client Hello, which provides the FQDN of what is being requested.
If running 5.0 or older, or the Server Name extension is not used by the client, the firewall will use the CN for categorization.

Neither is as good as what you get with SSL decryption. When you actually do decryption, the full URI is available for categorization.

Using the CN is incomplete, because sites often separate content with subdirectories rather than subdomains. Using the example.com domain, it could look like this:

www.example.com/news

www.example.com/games

www.example.com/adult

In each example above, both the Server Name extension and the certificate's Common Name field would read the same: www.example.com.

There's no way to determine what the client has actually requested if you can't see the encrypted content, so it is not nearly as accurate as you get when decrypting.

-Greg

Re: can we identify an https web-site category reading certs cn name part as fortigate do ?

MyTechnic — Thu, 17 Sep 2015 08:32:20 GMT

Hi Greg ,

thaks for the answer , actually i did not interest in identifiying subdomains , paloalto can't block facebook or youtube if they use https, when i block streaming media or social networking becouse it can not read cn from the cert.but fortigate can read this , don't misunderstand please i am not a fan of forti but it seems they can do sometihg easier than us , if they can do why we can not , may be the engineers thougt that there is a security issue about just searching that answer or may be simply we can not do this . also i tested both pan-db and brightcloud many times we are far from being good about url filtering . may be this depends on location in Turkey it is not good enough to identify web-sites .