100 2 Posted June 30, 2019 Share Posted June 30, 2019 (edited) I noticed, that the SSL/TLS-MITM doesn't work for many sites (like Eset, Google, Paypal, Ebay, Amazon, Youtube). The certificates are not shown as "Eset, spol. sr. o.". On Facebook and Twitter the filter is working. I have tested it with Firefox 67.0.4 and Internet Explorer 11 on Windows 7 x64 and also with the filter settings automatic and scan. Edited June 30, 2019 by 100 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted June 30, 2019 Administrators Share Posted June 30, 2019 If you want to filter the communication on trusted websites, e.g. facebook.com, disable the setting "Exclude communication with trusted domains" in the SSL/TLS filtering setup. 100 1 Link to comment Share on other sites More sharing options...
100 2 Posted June 30, 2019 Author Share Posted June 30, 2019 Thank you very much, Marcos. Sorry, I overlooked this setting. Link to comment Share on other sites More sharing options...
100 2 Posted June 30, 2019 Author Share Posted June 30, 2019 Hm, a domain on the internal list of trusted domains cannot be filtered by an entry in the list of known certificates? I have tested it and it seams to be that the internal list of trusted domains have always priority. Link to comment Share on other sites More sharing options...
itman 1,659 Posted June 30, 2019 Share Posted June 30, 2019 1 hour ago, 100 said: Hm, a domain on the internal list of trusted domains cannot be filtered by an entry in the list of known certificates? Did you set the scan type to "Ignore?" Link to comment Share on other sites More sharing options...
100 2 Posted June 30, 2019 Author Share Posted June 30, 2019 (edited) 24 minutes ago, itman said: Did you set the scan type to "Ignore?" No, to "scan". Example: Amazon.com is on the internal list of trusted domains and therfore it is not scanned by the SSL/TLS MITM. The displayed certificate is from Verisign. If I add this certificate to the list of known certificates and set it to "scan" (the same with "auto"), the displayed certificate should be Eset, but it is still Verisign (even after restarting the browser). Edited June 30, 2019 by 100 Link to comment Share on other sites More sharing options...
itman 1,659 Posted June 30, 2019 Share Posted June 30, 2019 15 minutes ago, 100 said: No, to "scan". Example: Amazon.com is on the internal list of trusted domains and therfore it is not scanned by the SSL/TLS MITM. The displayed certificate is from Verisign. If I add this certificate to the list of known certificates and set it to "scan" (the same with "auto"), the displayed certificate should be Eset, but it is still Verisign (even after restarting the browser). As far as I am aware of, you can't use certificate exclusions this way. They are use primarily to exclude a web site from being scanned. So your statement is correct; Eset's build-in scanning exclusion list overrides everything. 100 1 Link to comment Share on other sites More sharing options...
100 2 Posted July 1, 2019 Author Share Posted July 1, 2019 I was just playing with it. It's no problem to trust the internal list. I think it will be updated automatically if one of the pages suddenly contains malicious code. For trusted domains with payment functionality it is better not to break the encryption. This is probably the intention of the internal trused list. Link to comment Share on other sites More sharing options...
Recommended Posts