Content blocking on Exetel Home Secure

[flabdablet]

Having just read the email blast about Exetel Home Secure, I'm curious about how it handles content blocking.

1. Is blocking done per DNS name, per IP address, per URL, other?

2. Is the blocking done based on a curated database of names/addresses/URLs that need to be blocked, or is there some form of real-time content inspection in operation?

3. If there is real-time content inspection, how is that achieved given that SSL is a thing?

4. If there is real-time content inspection that works even on SSL-protected content, how is that done? Does an Exetel-provided SSL spoofing certificate need to be installed on client devices to enable man-in-the-middle attacks against SSL content?

5. If an SSL spoofing certificate does need to be installed on client devices, is it a certificate owned by Exetel or by some third party?

6. If SSL spoofing is in use, what guarantees can Exetel provide that it will not be misused?

[nilushid]

Having just read the email blast about Exetel Home Secure, I'm curious about how it handles content blocking.

1. Is blocking done per DNS name, per IP address, per URL, other?

2. Is the blocking done based on a curated database of names/addresses/URLs that need to be blocked, or is there some form of real-time content inspection in operation?

3. If there is real-time content inspection, how is that achieved given that SSL is a thing?

4. If there is real-time content inspection that works even on SSL-protected content, how is that done? Does an Exetel-provided SSL spoofing certificate need to be installed on client devices to enable man-in-the-middle attacks against SSL content?

5. If an SSL spoofing certificate does need to be installed on client devices, is it a certificate owned by Exetel or by some third party?

6. If SSL spoofing is in use, what guarantees can Exetel provide that it will not be misused?

Hi

We will pass this information request to our developers and get back to you asap.

Thanks

[Glenn Ward]

Hi flabdablet,

To answer your questions:

Q1. Is blocking done per DNS name, per IP address, per URL, other?
A1. Blocking is URL based, and independent of DNS.

Q2. Is the blocking done based on a curated database of names/addresses/URLs that need to be blocked, or is there some form of real-time content inspection in operation?
A2. Both – Predominantly based on a curated database for classification, multiple databases and inline AV for threat management along with real-time heuristics (HTTP only) for a subset of classifications.

Q3. If there is real-time content inspection, how is that achieved given that SSL is a thing?
A3. SSL Traffic is not real-time inspected. The SNI (Server Name Indication) is used for classification.

Q4. If there is real-time content inspection that works even on SSL-protected content, how is that done? Does an Exetel-provided SSL spoofing certificate need to be installed on client devices to enable man-in-the-middle attacks against SSL content?
A4. No MITM, and no spoofing – SSL traffic is not decrypted/actively inspected

Q5. If an SSL spoofing certificate does need to be installed on client devices, is it a certificate owned by Exetel or by some third party?
A5. No MITM, and no spoofing – SSL traffic is not decrypted/actively inspected

Q6. If SSL spoofing is in use, what guarantees can Exetel provide that it will not be misused?
A6. No MITM, and no spoofing – SSL traffic is not decrypted/actively inspected

Hope that helps!

Regards,

Glenn.

[flabdablet]

Hi, Glenn -

To clarify:

A3. SSL Traffic is not real-time inspected. The SNI (Server Name Indication) is used for classification.

If I understand the way HTTPS works correctly, then that would mean that for HTTPS sites, which in 2021 is *most* sites, threat classification in effect becomes hostname based rather than URL based.

Which would in turn mean that in the case of e.g. a compromised Wordpress host, accessed via HTTPS, into which an attacker had inserted malicious content on some subset of pages, Exetel Home Secure could offer no protection unless it chose to block the entire host, which it would most likely not choose to do until after learning of the existence of that content by other means.

Do I have that right?

Reason I ask is that this exact pattern (malicious pages added to otherwise respectable sites by bad actors, that don't affect normal operation of the sites they're hosted on in any way, but are linked from phishing emails) is one I *frequently* see turning up in my Spam inbox. And if Exetel Home Secure isn't going to be on top of that kind of thing, it strikes me as rather misleading to market it as offering comprehensive protection *because* it operates at the network level.

Thanks
Stephen

[Glenn Ward]

Hi Stephen,

We block or classify a whole HTTPS site based on the SNI. The alternative is MITM which isn’t acceptable to most/all customers.

Our (anecdotal) view is that 'most' of the hacked sites are HTTP (though, we are reviewing the research), so our network based solution, in this (HTTP) case, we feel is a reasonable approach.

Our Home Secure service provides a good baseline of security, with no dependencies on the end user, but it isn’t infallible (like every other internet security solution - other than unplugging the PC from the internet/air-gap). It also has a good suite of content filtering and safe search capabilities that parents find pretty helpful too.

We still recommend customers maintain some form of on-device/end-point security app which will enhance the customers security coverage by providing local threat protection (including HTTPS and email/filesystem).

However, such an on-device/end-point security app can’t be run on all network connected/IoT devices (xbox, Wifi light bulb etc) which are all vulnerable to internet based threats. Something that can only be resolved by having security provided at the network level (and/or embedded in the home gateway).

We have chosen to launch Home Secure to provide the broadest layer of protection (network) first.

Stay tuned for future developments in our gateway and end-point protection options.

Regards,

Glenn