Filter : SNI extension feature and HTTPS blocking

Server Name Indication (SNI) is an extension to TLS (Transport Layer Security) that indicates the actual destination hostname a client is attempting to access over HTTPS. For this Web Filter feature, SNI hostname information is used for blocking access to specific sites over HTTPS. For example, if the administrator chooses to block the hostname ‘www.youtube.com’ using this feature, all Website access attempts over HTTPS that contain ‘www.youtube.com’ in the SNI would be blocked. However access to the same hostname over HTTP would not be blocked by this feature, since the Web Filter policy applies to the HTTP hostname and not the HTTPS hostname.

Since this Web Filter feature is based on information contained in the SNI, it functions only if the client browser supports SNI and access attempts are made using TLS. Some browsers (such as Firefox) fall back to using SSLv3 if an initial connection attempt using TLS is unsuccessful. In such cases, this feature would be successful in blocking access to the targeted sites over TLS, but not over SSLv3. If possible, administrators might consider disabling the use of SSLv3 on client browsers to address this issue.

As a precaution when using this feature, blocking certain hostnames in the SNI might lead to over-blocking. For example, if the administrator chooses to block the hostname ‘www.google.com,’ access to all sites over HTTPS that contain this hostname in the SNI would be blocked, such as Google Web Search, Image Search and Video Search. However, access to the reCAPTCHA program used on sites such as Gmail, Facebook and LinkedIn would also be blocked, since they contain ‘www.google.com’ in the SNI. Thus, administrators should be aware of the potential of over-blocking when adding new hostnames to the block list.

For an alternative way of applying policy to Google and YouTube sites, see inline filtering available in Bridge Mode (5.1.00 and up), Firewall and Router modes (5.1.10 and up).

Back