cancel
Showing results for 
Search instead for 
Did you mean: 
maitane
Level 7

Https looks like doesn´t work

Hello Everybody,

Since update to 7.1.0.6, the safesearch looks like doesn´t work or doesn´t match with anything, when we surf in https.

When we search "bitch" or "puta" we can see the images.

Does anybody know what´s happend?, why we can access in https to look everything.

Regards

PD: Maybe we can not envrypt the query because the user is redirected to a session unencrypted HTTP, but how???

El mensaje fue editado por: maitane on 2/04/12 6:28:57 CDT
0 Kudos
10 Replies
fschulte
Level 10

Re: Https looks like doesn´t work

If the safe search works in HTTP but not in HTTPS, I guess it is a wrongly configured SSL Scanner.

Can you filter any other SSL traffic?

Ciao

Felix

0 Kudos
maitane
Level 7

Re: Https looks like doesn´t work

Hi Felix,

The question is that we don´t want to inspect SSL traffic by now.
We´re working with the safesearch function enabled and also we´ve created a especific rule set to prevent possible unwanted results on web searchers.
This rule set is working fine in http but we´ve realised that if we use https://www.goole.com our rule set and the safe search neither work.

Hablas español?

Best regards.

0 Kudos
sroering
Level 13

Re: Https looks like doesn´t work

If you want to enforce Google safe search for https, then you must use the SSL scanner. The Web Gateway cannot modify the headers to force safe search unless it breaks into the SSL connection.

0 Kudos
maitane
Level 7

Re: Https looks like doesn´t work

Hi again,

We still have not enabled SSL scanning.

With all new features, is there now any way to perform it?

0 Kudos
asabban
Level 17

Re: Https looks like doesn´t work

Hello,

when SSL Scanner is not enabled MWG cannot see what you searched for. MWG will see that your browser talks to Google, not what is communicated. Therefore the safe search enforcer cannot apply.

Best,

Andre

0 Kudos
maitane
Level 7

Re: Https looks like doesn´t work

Ok Thanks,

And wich is the easiest way to enable the SSL scanning so it don´t looks like a "man in the middle"?

By now, we only want to scan those searchs.

0 Kudos
asabban
Level 17

Re: Https looks like doesn´t work

Hello,

the problem is that SSL Scanner basically is a "man in the middle". So MWG will always have to replace the server certificate in order to look into the tunnel. If you have a root certificate enrolled to your browsers that MWG can use to sign server certificates users won't notice if the certificate was signed by MWG. If desired you can restrict the SSL inspection to search engines only, so that most of the SSL traffic remains untouched.

However you will have the root certificate installed on the browsers. Otherwise they will always see a certificate warning, since the server cert was changed by MWG.

Best,

Andre

0 Kudos
maitane
Level 7

Re: Https looks like doesn´t work

That´s it Andre, thanks very much for your reply.

Restrict the SSL inspection to search engines only could be a good way for us by now.

Which would be the correct criteria? URL.Categories contains Search Engines?

0 Kudos
asabban
Level 17

Re: Https looks like doesn´t work

Hello,

basically yes, but we need to be a little careful here. The most important question it if you are running in a transparent mode. In transparent modes MWG may only see the destination IP address, rather than the host name that was accessed. In this case the categorization can cause problems. The category lookup performs reverse and forward DNS lookups to get a valid result, but it may not be as reliable as when running in explicit modes.

Also you have to ensure that your clients have a root certificate enrolled which MWG uses to sign server certificates. Otherwise your users will be prompted with a certificate warning. Actually there are customers who are happy with that, but I think its worth mentioning :-)

Maybe you restrict the SSL Scanner to the client IP of a test computer first of all, and play around with it. Then add the criteria for  Search Engines and check whether it behaves as desired. If all is good you could make the change for other users.

Best,

Andre

0 Kudos