English Forums > Zenarmor (Sensei)
Need help understanding full TLS inspection
road hazard:
When I was using Untangle, to get -FULL- visibility into all network traffic to/from my machines, I vaguely remember having to import a cert into each computer and it was just a manual, ugly, pain in the butt and never fully worked well and broke a lot of things so I eventually gave up on it.
With ZenA 1.17, would all that be a thing of the past and I'll be able to inspect everything without visiting each machine to install a cert and no fear of breaking apps? My kids are of the age where I want to have more visibility into what they're doing on the internet and I'm wondering if now is a time to give ZA 1.17 a try?
Patrick M. Hausen:
Sorry to disappoint you but while Zenarmor might provide a better user experience by more reliable implementation and better UI - I don't know either product, I'll explain why, later - the fundamental mechanisms are exactly the same.
Because the goal of TLS is reliable end-to-end encryption and man-in-the-middle detection. I.e. not being able to inspect TLS encrypted traffic is an explicit feature of the protocol.
So to still do that you need to create certificates on the fly with your own CA (certificate authority) and for the client to trust these certificate you need to install the CA cert on each and every client.
So no, no way out of that convoluted setup with any product. Because TLS is designed to prohibit what you are trying to do.
Which is the reason why I plain refuse to implement anything like this. It frequently - especially with commercial implementations by $BIGCORP - weakens security because the "TLS inspection gateways" lag behind current developments in cryptography, and all in all it provides a significantly worse user experience as you found out already.
My (personal) stance: just don't. TLS is end-to-end for a reason and not going away.
Now to protect your kids from certain web sites, you might consider AdGuard Home and possibly CrowdSec which are much less intrusive and standard compliant tools.
Just my personal take - the technical "truth" for you, still: if you insist on breaking TLS, fundamentally all products work the same way.
road hazard:
Thanks for the reply! I thought it sounded too good to be true. :(
I'll give those other products you mentioned a read over.
Thank you
athurdent:
--- Quote from: Patrick M. Hausen on April 26, 2024, 09:58:00 pm ---Sorry to disappoint you but while Zenarmor might provide a better user experience by more reliable implementation and better UI - I don't know either product, I'll explain why, later - the fundamental mechanisms are exactly the same.
Because the goal of TLS is reliable end-to-end encryption and man-in-the-middle detection. I.e. not being able to inspect TLS encrypted traffic is an explicit feature of the protocol.
So to still do that you need to create certificates on the fly with your own CA (certificate authority) and for the client to trust these certificate you need to install the CA cert on each and every client.
So no, no way out of that convoluted setup with any product. Because TLS is designed to prohibit what you are trying to do.
Which is the reason why I plain refuse to implement anything like this. It frequently - especially with commercial implementations by $BIGCORP - weakens security because the "TLS inspection gateways" lag behind current developments in cryptography, and all in all it provides a significantly worse user experience as you found out already.
My (personal) stance: just don't. TLS is end-to-end for a reason and not going away.
Now to protect your kids from certain web sites, you might consider AdGuard Home and possibly CrowdSec which are much less intrusive and standard compliant tools.
Just my personal take - the technical "truth" for you, still: if you insist on breaking TLS, fundamentally all products work the same way.
--- End quote ---
Adding some experience on the „designed to prohibit“ part: while one can usually convince a browser to accept the TLS/SSL inspecting CA‘s cert, it’s impossible for e.g. smartphone apps and a lot of Windows/macOS programs/apps.. They just won’t respect your CA and the app’s connectivity simply breaks.
You‘ll end up with an SSL decryption exception list you’d have never dreamed of before.
Monviech:
The device that receives the traffic has to decrypt it in order to process it. Best use some software there that """protects""" your Endpoint, instead of trying to centralize it.
Navigation
[0] Message Index
[#] Next page
Go to full version