TLS/SSL Inspection is now going to be business license only?

[Vilmalith]

TLS/SSL Inspection is now going to be business license only?

I noticed today that your features list, lists Policy based Transparent TSL/SSL Inspection as coming soon only for the Business license.  Granted I haven't looked at the feature list in awhile.  But the feature list doesn't list any other TLS/SSL inspection.  Are none of the other licenses for Zenarmor getting TLS/SSL inspection now?

[NW4FUN]

Apparently yes, they've decided for whatever reason to only enable that feature on the business subscription, leaving out the HOME subscribers...

I'm very UPSET with that direction as it leaves my personal use case uncovered. I hope they'd change their mind...

[chemlud]

What did you except? Lock in - then cash time. Bussiness as usual...

[athurdent]

According to the archived 04/2020 version of the plan comparison, Policy based Transparent TLS/SSL Inspection has never been announced as a part of any other than the business plan, at least not in the past years.
https://web.archive.org/web/20200427221415/https://www.sunnyvalley.io/plans/

[NW4FUN]

@athurdent and @chemlud

That's not the point. Not providing Full TLS Inspection to HOME subscribers is a huge mistake as that covers more than a use case for the average household. Limiting that feature offering to BUSINESS only ($80/m) makes it just not an option for home users who are paying $99/year for their subscription.

Honestly, missing out on that makes me questioning the entire HOME subscription plan...is it still worth it considering pretty much ALL traffic is encrypted these days?

Other vendors I've been using in the past with a HOME/FAMILY plan (Untangle is a great example but not the only one) before migrating to OPNsense, DO offer TLS inspection functionality. Actually their HOME plan is basically a full BUSINESS plan offered at an affordable price for home/personal usage.

Shame on you Sunnyvalley if you're reading this!

/rant 

[athurdent]

I am happy without TLS decryption for home. DPI/app/services/URL recognition works pretty well with Zenarmor, and lets me block the bad ones.
Having implemented SSL decryption at work with different vendors, it's no fun. You end up with a larger exception list than you wanted. SSL generally does not like to be man-in-the-middled, plus there are a lot of apps that come with pinned CAs, won't respect your private issuing CA and will break.

[NW4FUN]

I agree the TLS inspection is a pain generally speaking, however, the fact YOU are happy without it, it doesn't necessarily mean it's either not needed or nobody wants it.

There's a plethora of use cases for which it is a must have scenario. Moreover, on a policy based TLS, you can easily contain the inspection to what you really need to control/block (nobody is looking to inspect ALL the encrypted traffic - that's a nonsense).

[beki]

Hi all!

Just wanted to let you know that Zenarmor offers free Domain and IP-based Certificate TLS inspection for every packet, whether you're using Free, Home, SOHO, or Business edition.

If you're using the Business edition, you will also take advantage of the Full TLS inspection feature.

Let us know if you have any questions or need further assistance.

Best

[NW4FUN]

Can you please elaborate on the differences between the two offered levels of TLS inspection?

[beki]

Hi NW4FUN,

Free/Certificate TLS inspection can block/allow according to the domain name.

But, Full TLS inspection can screen all data packets. For example, it can block/allow traffic by checking not only the domain name but also the URL. Malicious file protection and antivirus protection will work based on Full TLS inspection capability as well.

Best

[NW4FUN]

Thanks! That might actually do for my use case…

How do I configure the free TLS inspection? I simply download and install the Zenarmor certificate onto the impacted devices?

Thanks for your guidance and support

[beki]

There is no special configuration for free TLS inspection.
After defining the default policy, it will automatically apply tls inspection.

[NW4FUN]

There’s something odd then going on…for instance, Zenarmor is unable to read TikTok.com or Snapchat.com and block it accordingly (social network category is restricted), whilst it is able to restrict the app itself (I guess it can successfully read the apps signature).

Can you please advise

[beki]

Thanks for your feedback.

Snapchat looks under the IM app category. We will move it to the social media category.
Tiktok should be blocked. Are you using TikTok mobile app or trying to access it via a web browser on a desktop?

[NW4FUN]

They're both restricted in the WEB CONTROLS and the APP CONTROLS sections.

Whilst the APPs itself are being blocked, same is not the case for when accessing from web browser (SAFARI)