Deep Disappointment with Zenarmor's Commitment

[athurdent]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works.

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.

[cookiemonster]

Eh ?! What is your understanding of how Palo Alto does the inspection? Agent or Agent-less has nothing to do with it.

[Monviech]

Somehow this thread got derailed. Can a new one be created to discuss the ups and downs and requirements for TLS MITM proxy?

[pradip.marathon]

In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement TLS inspection without requiring any tools or certificates to be installed on the endpoints.

You should probably read up on how SSL Inspection works.

I have already implemented and test the SSL inspection in my org, Installation of Zenarmor SSL certificate is mandetory in order work TLS inspection and filter the content.
Do you have any other aspect on this?

Every SSL Inspection implementation requires you to trust a signing certificate, i.e. install a custom cert. So unsure  how one would expect Zenarmor to act differently when familiar with the requirements for SSL Inspection.

It's surprising to see such comments without a proper understanding of the context. I have clearly outlined the expected solution, fully aware of how SSL inspection works. While I understand that implementing SSL inspection typically requires trusting a signing certificate, I believe that solutions like those offered by Palo Alto already provide agent-less options to achieve the desired results.

Zenarmor is agent-less though? You should perhaps elaborate on your ask, and lay out what others like Palo Alto are doing differently.
I.e. explain how you'd like full SSL Inspection be done by Zenarmor (or any other SSL Inspection engine) without trusting a certificate used to decrypt traffic in the middle.

I expectation was mentioned clearly in earlier post as well.
In a BYOD scenario, why would someone want to install a certificate on their personal device?

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.

[Patrick M. Hausen]

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

This is technically impossible. The entire point of TLS is prohibiting "inspection".

[athurdent]

Palo Alto can filter the content from website, example 1- I would like to give access of youtube except specific video category in youtube like Shorts, Movies, Non-Educational, Games etc.
example 2 - I would like to give access of facebook but not the games inside facebook.

That usually requires the firewall to be able to inspect the URLs called, which normally demands SSL decryption to take a look. With a certificate installed on your system.
If it really works without, and please verify and let us know, then they got lucky and there are e.g. different hosts used by YouTube or Facebook for this. Which would allow differenciation without looking at the traffic.

I doubt you can do the above with Palo Alto and no extra certificate installed though.

[bimbar]

You CAN do filtering on a domain name basis via SNI without decryption, but that's it.

[pradip.marathon]

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

This is technically impossible. The entire point of TLS is prohibiting "inspection".

I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.

[pradip.marathon]

You CAN do filtering on a domain name basis via SNI without decryption, but that's it.

Agreed, But here I was refering to content filtering instead of URL filtering.

[bimbar]

There should be a solution to implement content filtering/TLS inspection without requiring any tools or certificates to be installed on the endpoints.

This is technically impossible. The entire point of TLS is prohibiting "inspection".

I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.

Well I'm going to stop arguing this then. Do live in whatever world you choose.

[Patrick M. Hausen]

I believe you will need to explore some available solutions. It is very much possible to achieve this. For YouTube, the YouTube V3 API is already available, which can be used with open-source proxies like Squid. There are multiple bundled packages with Squid that already include such integrations. Please refer to WebSafety from Diladele and SafeSquid's integration for "https://docs.safesquid.com/wiki/Youtube_API_Integration_With_Safesquid_To_Allow_Specific_YouTube_Videos" for more information.

Quote from the doc you linked:

HTTPS Inspection should be enabled in SafeSquid. If not enabled, you can check our document ...

Link to that document:
https://docs.safesquid.com/wiki/Setup_HTTPS_Inspection

Quote:

Importing SafeSquid SSL certificate into your browser

When SafeSquid is installed in your network with HTTPS inspection enabled and SSL certificate not installed into the browser, then you will get an error while accessing the HTTPS websites. You have to install SafeSquid SSL certificate into the browsers.

As I argued it is technically impossible to inspect TLS without installation of a trusted CA on the client.

[athurdent]

If anything, this discussion with the OP helped at least me putting the original post in perspective.
I'm out, feels like there's a better use of my time than rephrasing the same fact over and over again.