Limitations with HTTPS sites in the Web Content Control settings in IGK
With the Internet Gateway (IGK) for Linux 5.30 release, allowing or denying access to HTTPS sites in the Web Content Control settings may not work in certain situations as expected. These limitations apply to HTTPS sites when specifying them in the Trusted sites and/or Disallowed sites options. The limitations are as follows:
- HTTPS sites can only be specified by the host. For example, the following works: https://www.example.com, but specifying the path in a URL, for example, https://www.example.com/path/to/page, does not work. Specifying a path results in either a "trusted" site being blocked or a "disallowed" site being allowed.
The reason for this is that the connection between the client and the web server is established using the HTTP CONNECT method. Internet Gateway (IGK) tunnels the TCP connection to the requested host without accessing the requested HTTP content.
- When an HTTPS site is blocked in the Disallowed sites setting, the client web browser displays a generic "Secure connection refused" error message, rather than the error template corresponding to the HTTP error code that IGK sends.
The reason for this is a security measure on the client side relating to the handling of HTTP CONNECT failures.
- Specifying HTTP URLs as "disallowed" in the Disallowed sites setting might not get blocked in the web browser. URLs need to be specified as both HTTP and HTTPS to ensure "disallowed" access.
The reason is that some browsers implement "opportunistic encryption", which means that HTTP URLs are first connected as HTTPS URLs. For example, specifying http://www.facebook.com/some/path/to/example/page as a "disallowed" site might not get blocked in the web browser, as the URL first attempts to connect as https://www.facebook.com/some/path/to/example/page.