: SNI extension feature and HTTPS blocking
Indication (SNI) is an extension to TLS (Transport Layer Security)
that indicates the actual destination hostname a client is attempting
to access over HTTPS. For this Web Filter feature, SNI hostname
information is used for blocking access to specific sites over HTTPS.
For example, if the administrator chooses to block the hostname
‘www.youtube.com’ using this feature, all Website access
attempts over HTTPS that contain ‘www.youtube.com’ in
the SNI would be blocked. However access to the same hostname over
HTTP would not be blocked by this feature, since the
Web Filter policy applies to the HTTP hostname and not
the HTTPS hostname.
Since this Web Filter feature is based on information contained
in the SNI, it functions only if the client browser supports SNI
and access attempts are made using TLS. Some browsers (such as Firefox)
fall back to using SSLv3 if an initial connection attempt using
TLS is unsuccessful. In such cases, this feature would be successful
in blocking access to the targeted sites over TLS, but not over
SSLv3. If possible, administrators might consider disabling the
use of SSLv3 on client browsers to address this issue.
As a precaution
when using this feature, blocking certain hostnames in the SNI might
lead to over-blocking. For example, if the administrator chooses
to block the hostname ‘www.google.com,’ access to all
sites over HTTPS that contain this hostname in the SNI would be
blocked, such as Google Web Search, Image Search and Video Search.
However, access to the reCAPTCHA program used on sites such as Gmail,
Facebook and LinkedIn would also be blocked, since they contain
‘www.google.com’ in the SNI. Thus, administrators should
be aware of the potential of over-blocking when adding new hostnames
to the block list.
For an alternative way of applying policy to Google and YouTube
sites, see inline filtering available in Bridge Mode (5.1.00 and up), Firewall and Router modes (5.1.10 and up).