OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: road hazard on April 26, 2024, 09:35:48 PM

Title: Need help understanding full TLS inspection
Post by: road hazard on April 26, 2024, 09:35:48 PM
When I was using Untangle, to get -FULL- visibility into all network traffic to/from my machines, I vaguely remember having to import a cert into each computer and it was just a manual, ugly, pain in the butt and never fully worked well and broke a lot of things so I eventually gave up on it.

With ZenA 1.17, would all that be a thing of the past and I'll be able to inspect everything without visiting each machine to install a cert and no fear of breaking apps? My kids are of the age where I want to have more visibility into what they're doing on the internet and I'm wondering if now is a time to give ZA 1.17 a try?

Title: Re: Need help understanding full TLS inspection
Post by: Patrick M. Hausen on April 26, 2024, 09:58:00 PM
Sorry to disappoint you but while Zenarmor might provide a better user experience by more reliable implementation and better UI - I don't know either product, I'll explain why, later - the fundamental mechanisms are exactly the same.

Because the goal of TLS is reliable end-to-end encryption and man-in-the-middle detection. I.e. not being able to inspect TLS encrypted traffic is an explicit feature of the protocol.

So to still do that you need to create certificates on the fly with your own CA (certificate authority) and for the client to trust these certificate you need to install the CA cert on each and every client.

So no, no way out of that convoluted setup with any product. Because TLS is designed to prohibit what you are trying to do.

Which is the reason why I plain refuse to implement anything like this. It frequently - especially with commercial implementations by $BIGCORP - weakens security because the "TLS inspection gateways" lag behind current developments in cryptography, and all in all it provides a significantly worse user experience as you found out already.

My (personal) stance: just don't. TLS is end-to-end for a reason and not going away.

Now to protect your kids from certain web sites, you might consider AdGuard Home and possibly CrowdSec which are much less intrusive and standard compliant tools.


Just my personal take - the technical "truth" for you, still: if you insist on breaking TLS, fundamentally all products work the same way.
Title: Re: Need help understanding full TLS inspection
Post by: road hazard on April 27, 2024, 05:34:59 AM
Thanks for the reply! I thought it sounded too good to be true. :(

I'll give those other products you mentioned a read over.

Thank you
Title: Re: Need help understanding full TLS inspection
Post by: athurdent on April 27, 2024, 06:29:23 AM
Quote from: Patrick M. Hausen on April 26, 2024, 09:58:00 PM
Sorry to disappoint you but while Zenarmor might provide a better user experience by more reliable implementation and better UI - I don't know either product, I'll explain why, later - the fundamental mechanisms are exactly the same.

Because the goal of TLS is reliable end-to-end encryption and man-in-the-middle detection. I.e. not being able to inspect TLS encrypted traffic is an explicit feature of the protocol.

So to still do that you need to create certificates on the fly with your own CA (certificate authority) and for the client to trust these certificate you need to install the CA cert on each and every client.

So no, no way out of that convoluted setup with any product. Because TLS is designed to prohibit what you are trying to do.

Which is the reason why I plain refuse to implement anything like this. It frequently - especially with commercial implementations by $BIGCORP - weakens security because the "TLS inspection gateways" lag behind current developments in cryptography, and all in all it provides a significantly worse user experience as you found out already.

My (personal) stance: just don't. TLS is end-to-end for a reason and not going away.

Now to protect your kids from certain web sites, you might consider AdGuard Home and possibly CrowdSec which are much less intrusive and standard compliant tools.


Just my personal take - the technical "truth" for you, still: if you insist on breaking TLS, fundamentally all products work the same way.

Adding some experience on the ,,designed to prohibit" part: while one can usually convince a browser to accept the  TLS/SSL inspecting CA's cert, it's impossible for e.g. smartphone apps and a lot of Windows/macOS programs/apps.. They just won't respect your CA and the app's connectivity simply breaks.
You'll end up with an SSL decryption exception list you'd have never dreamed of before.
Title: Re: Need help understanding full TLS inspection
Post by: Monviech (Cedrik) on April 27, 2024, 07:31:12 AM
The device that receives the traffic has to decrypt it in order to process it. Best use some software there that """protects""" your Endpoint, instead of trying to centralize it.
Title: Re: Need help understanding full TLS inspection
Post by: cwt on April 28, 2024, 12:40:00 PM
As already mentioned above filtering services like AdGuard Home or PiHole can give you a quantum of control over what can be visited and what not.

ZenArmor has additional options which can be combined with existing Adblocking DNS services to prevent bypassing filtering mechanisms. One option is to block DoH (DNS over HTTPS). Afaik this feature is available in the smallest subscription (SOHO) but I'm not 100% sure. And there are web filtering options available (categories of known services/sites). These services rely on lists which are maintained by ZenArmor. But it's also possible to extend these with your own custom rules or addresses, like in AdGuard Home and in PiHole.

If you implement DNS blockers be sure to force DNS requests which bypass your DNS sinkhole with appropiate NAT rules.


Cheers
Title: Re: Need help understanding full TLS inspection
Post by: sy on April 29, 2024, 07:54:19 PM
Hi,

To block DNS over HTTPS is also available for free users as well :)
Title: Re: Need help understanding full TLS inspection
Post by: almodovaris on May 22, 2024, 10:44:46 PM
I don't know about Untangle, but Zenarmor TLS inspection has:

- whitelist (do not inspect): factory defined whitelist and user whitelist;
- blacklist (always inspect);
- granular control (inspect only these categories of websites).

So, yeah, applying FTI to all websites/apps seems dumb, but applying it to only some of them is smart.