To date I've created/commented on other threads on this forum regarding this, but this thread serves to centralize this issue. Since the google crawler seem to hit these forums, hopefully this will get some attention.
If you are reading this thread and the issues below pertains to you as well, please comment below.
My corporation chose to purchase Websense in order to perform web filtering, as well as MITM (man in the middle) SSL decryption/monitoring for Data Loss Prevention.
Currently, as it stands, for a secure implementation of Websense, if SSL decryption is enabled, and you are using an internal certificate to present to end users, you must enable the Certificate Verification Engine feature in the Websense Content gateway. What this feature does is perform various checks against the external SSL certificate to confirm the validity of that certificate.
If you do not enable this certificate engine while performing SSL decryption, you are flying blind, essentially, as other MITM schemes and invalid cert issuers can intercept your data, and no one in your organization will know. (e.g. think about the recent issues with Diginotar certs being hacked and gmail victims falling prey)
For example, let's use the example of visiting https://www.gmail.com. With SSL decryption enabled, end users will see that this website is using a valid certificate, one that is issued by your company internally; essentially masking the actual SSL certificate. The verification engine then should validate the external SSL certificate. If this validation fails, then a warning should be displayed to the end user -- a warning much like if you visited a site with an expired/invalid certificate.
To date, the verification engine feature does not work without causing massive issues in an environment.
Here are two issues that I've identified so far:
Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4
- [Minor] When Websense validates a certificate, there is an option to check for CRL (certificate revocation list) to determine if a certificate has been revoked. The problem with this is, there are many certificates issued/used on the internet that seemingly have problems/ don't adhere to this standard. (not sure why) The easy solution would be to disable the CRL check option under the verification engine. However, this disablement does not currently work. This results in many end users bombarding the helpdesk wondering what websense block "verify deny = 0" means.
- [Major] Certain websites, such as wellsfargo.com do not load properly, or do not load at all via SSL. This is an intermittent issue. Since this is a banking website, it is imperative to have SSL work. I have provided logs. I have provided data dumps, I have spent numerous hours troubleshooting this issue with Websense. Websense has even been able to reproduce this issue, but I have been told that I will need to impact my production environment further by enabling this feature on long term to collect more dumps. This becomes a problem, as the [minor] issue above causes the helpdesk line to flood. Because of this, my 6+ month case has been closed, pending results for the issue above.
This issue has been escalated to the point where a Sr. Manager of Technical Support has been involved, but still, no real traction yet. To be fair, it's only been 6+ months of troubleshooting/waiting.
The most troubling thing I've seen is that it appears that others on this forum who use SSL decryption simply acknowledge that this is an issue and simply ignore/disable the verification engine. They've accepted the risk as an technical engineer, but I can only but wonder if their IT management staff realize the data security ramifications.
Anyhow...
If you are reading this as a potential websense customer: Be aware of this issue. I'm not happy about this situation at all. This is a web security problem.
If you are reading this as another company who is using SSL decryption, and have run into these issues, or know of further issues to raise, chime in below.
If you are a websense staff member and care to check out my claims or offer some solutions, please do so! I welcome any/all comments, both positive or negative. Both cases associated to my account have been escalated to backline, while one is currently closed pending results from the other case.
I'll be continually updating this thread, if it does not end up getting brownholed.