 Unauthenticated access to HTTPS sites allowed whilst requiring authentication [message #25068] |
Fri, 22 July 2005 17:52  |
winkelman
Messages: 26
Registered: May 2005
Location: Amsterdam, The Netherland...
|
|
|
|
When you are not authenticated, you can still go to HTTPS sites. Going to such a site will not bring up the Kerio Authentication Page.
My KWF requires authentication for Internet access. When you're not authenticated, you will be presented the login screen. (In traffic rules I allow HTTP and HTTPS traffic from the LAN to the Internet, but in the Users configuration I selected "Always require users to be authenticated when accessing web pages'.)
I understand KWF cannot look into HTTPS streams, nonetheless it should not be possible to browse the web if you've configured KWF to require authentication (even if only to HTTPS sites).
I am running more and more into 'HTTPS issues'. You cannot block access to HTTPS sites based on URL's, now I find out you cannot even require users to be authenticated when going to HTTPS sites. This is becoming problematic.
I urge Kerio to look into this matter. As I said, I understand KWF cannot look into encrypted streams, but for example, the initial request to a HTTPS site is not encrypted, so I see no technical reason why KWF should not be able to block sites or enforce authentication. More and more of the internet is going secure and I am losing my abillity to use KWF to limit Internet access. 
Or... if I am wrong and something is misconfigured here, please do tell.
|
|
|
|
Members
Search
Help
Register
Login
Home
