Content blocking on Exetel Home Secure

Open discussion regarding technological or telecommunication issues
Post Reply
flabdablet
Posts: 7
Joined: Wed Jan 07, 2009 2:43 pm
Location: Bruthen, Vic

Content blocking on Exetel Home Secure

Post by flabdablet » Fri Feb 19, 2021 1:30 pm

Having just read the email blast about Exetel Home Secure, I'm curious about how it handles content blocking.

1. Is blocking done per DNS name, per IP address, per URL, other?

2. Is the blocking done based on a curated database of names/addresses/URLs that need to be blocked, or is there some form of real-time content inspection in operation?

3. If there is real-time content inspection, how is that achieved given that SSL is a thing?

4. If there is real-time content inspection that works even on SSL-protected content, how is that done? Does an Exetel-provided SSL spoofing certificate need to be installed on client devices to enable man-in-the-middle attacks against SSL content?

5. If an SSL spoofing certificate does need to be installed on client devices, is it a certificate owned by Exetel or by some third party?

6. If SSL spoofing is in use, what guarantees can Exetel provide that it will not be misused?

nilushid
Admin
Posts: 1198
Joined: Tue Jan 10, 2017 2:18 pm
Location: sydney

Re: Content blocking on Exetel Home Secure

Post by nilushid » Fri Feb 19, 2021 2:09 pm

flabdablet wrote:
Fri Feb 19, 2021 1:30 pm
Having just read the email blast about Exetel Home Secure, I'm curious about how it handles content blocking.

1. Is blocking done per DNS name, per IP address, per URL, other?

2. Is the blocking done based on a curated database of names/addresses/URLs that need to be blocked, or is there some form of real-time content inspection in operation?

3. If there is real-time content inspection, how is that achieved given that SSL is a thing?

4. If there is real-time content inspection that works even on SSL-protected content, how is that done? Does an Exetel-provided SSL spoofing certificate need to be installed on client devices to enable man-in-the-middle attacks against SSL content?

5. If an SSL spoofing certificate does need to be installed on client devices, is it a certificate owned by Exetel or by some third party?

6. If SSL spoofing is in use, what guarantees can Exetel provide that it will not be misused?
Hi

We will pass this information request to our developers and get back to you asap.

Thanks

Glenn Ward
Posts: 2
Joined: Fri Feb 18, 2011 4:05 pm
Location: Sydney

Re: Content blocking on Exetel Home Secure

Post by Glenn Ward » Fri Feb 19, 2021 5:08 pm

Hi flabdablet,

To answer your questions:

Q1. Is blocking done per DNS name, per IP address, per URL, other?
A1. Blocking is URL based, and independent of DNS.

Q2. Is the blocking done based on a curated database of names/addresses/URLs that need to be blocked, or is there some form of real-time content inspection in operation?
A2. Both – Predominantly based on a curated database for classification, multiple databases and inline AV for threat management along with real-time heuristics (HTTP only) for a subset of classifications.

Q3. If there is real-time content inspection, how is that achieved given that SSL is a thing?
A3. SSL Traffic is not real-time inspected. The SNI (Server Name Indication) is used for classification.

Q4. If there is real-time content inspection that works even on SSL-protected content, how is that done? Does an Exetel-provided SSL spoofing certificate need to be installed on client devices to enable man-in-the-middle attacks against SSL content?
A4. No MITM, and no spoofing – SSL traffic is not decrypted/actively inspected

Q5. If an SSL spoofing certificate does need to be installed on client devices, is it a certificate owned by Exetel or by some third party?
A5. No MITM, and no spoofing – SSL traffic is not decrypted/actively inspected

Q6. If SSL spoofing is in use, what guarantees can Exetel provide that it will not be misused?
A6. No MITM, and no spoofing – SSL traffic is not decrypted/actively inspected

Hope that helps!

Regards,

Glenn.

flabdablet
Posts: 7
Joined: Wed Jan 07, 2009 2:43 pm
Location: Bruthen, Vic

Re: Content blocking on Exetel Home Secure

Post by flabdablet » Sat Feb 20, 2021 2:59 pm

Hi, Glenn -

To clarify:

A3. SSL Traffic is not real-time inspected. The SNI (Server Name Indication) is used for classification.

If I understand the way HTTPS works correctly, then that would mean that for HTTPS sites, which in 2021 is *most* sites, threat classification in effect becomes hostname based rather than URL based.

Which would in turn mean that in the case of e.g. a compromised Wordpress host, accessed via HTTPS, into which an attacker had inserted malicious content on some subset of pages, Exetel Home Secure could offer no protection unless it chose to block the entire host, which it would most likely not choose to do until after learning of the existence of that content by other means.

Do I have that right?

Reason I ask is that this exact pattern (malicious pages added to otherwise respectable sites by bad actors, that don't affect normal operation of the sites they're hosted on in any way, but are linked from phishing emails) is one I *frequently* see turning up in my Spam inbox. And if Exetel Home Secure isn't going to be on top of that kind of thing, it strikes me as rather misleading to market it as offering comprehensive protection *because* it operates at the network level.

Thanks
Stephen

Glenn Ward
Posts: 2
Joined: Fri Feb 18, 2011 4:05 pm
Location: Sydney

Re: Content blocking on Exetel Home Secure

Post by Glenn Ward » Mon Mar 01, 2021 12:35 pm

Hi Stephen,

We block or classify a whole HTTPS site based on the SNI. The alternative is MITM which isn’t acceptable to most/all customers.

Our (anecdotal) view is that 'most' of the hacked sites are HTTP (though, we are reviewing the research), so our network based solution, in this (HTTP) case, we feel is a reasonable approach.

Our Home Secure service provides a good baseline of security, with no dependencies on the end user, but it isn’t infallible (like every other internet security solution - other than unplugging the PC from the internet/air-gap). It also has a good suite of content filtering and safe search capabilities that parents find pretty helpful too.

We still recommend customers maintain some form of on-device/end-point security app which will enhance the customers security coverage by providing local threat protection (including HTTPS and email/filesystem).

However, such an on-device/end-point security app can’t be run on all network connected/IoT devices (xbox, Wifi light bulb etc) which are all vulnerable to internet based threats. Something that can only be resolved by having security provided at the network level (and/or embedded in the home gateway).

We have chosen to launch Home Secure to provide the broadest layer of protection (network) first.

Stay tuned for future developments in our gateway and end-point protection options.

Regards,

Glenn

Post Reply