HTTPS Inspection

Without a web gateway traffic between a browser and TitanFile happens over HTTPS, meaning that all the data is encrypted by a secret key shared between your browser and TitanFile. This method is the standard approach for securing internet traffic.

Organizations with higher security and audit requirements frequently use a security device called a Web Gateway to help protect the browser and to ensure compliance obligations are met. The Web Gateway acts as an intermediary between TitanFile and the browser, decrypting the traffic and inspecting it for malware or other non-compliance before re-encrypting it and sending it on its way.

Client Side Encryption

TitanFile takes file security beyond the limits of HTTPS by employing Client Side Encryption (CSE). All traffic including file downloads are still protected by HTTPS, but in addition files are encrypted using a key that is held by TitanFile’s partner key management firm (mention credeon/hitachi?). The key is retrieved by the browser after the download is complete, and decryption happens only in the browser. The Web Gateway cannot inspect the contents of the file.

What’s the problem?

To decrypt files, the browser downloads chunks of the file that are encrypted by CSE and decrypts them using the key retrieved from our key management provider. Because the web gateway has no access to the decryption key, the file will remain encrypted as it is inspected by the gateway. If the file was infected before being encrypted for TitanFile sharing the malware will remain encrypted in the file, undetectable to the gateway.

The gateway normally does its job by downloading files on behalf of the browser that requests them, and inspecting them for malware before sending them to the browser. CSE files are stored by TitanFile in encrypted chunks, and are reassembled when the browser downloads and decrypts them.

Websockets

TitanFile uses websockets for asynchronous communication with the browser. The default rules for MWG HTTPS inspection prevent websockets from working, forcing the browser to downgrade to a legacy connection method called ‘polling’. Although the application fully supports operations without websocket support, there is a connection delay associated with downgrading.

Solution

Mcafee provides guidance on enabling applications that are not compatible with HTTPS inspection in this document. https://community.mcafee.com/t5/Documents/Web-Gateway-Understanding-Progress-Indication-Methods/ta-p/553861

Option #1

The simplest approach is to white-list *.titanfile.com in the MWG admin panel. This enables both websockets and CSE download. In the Policy page, select “HTTPS Scanning”. Click “Edit” under Hosts/CN to insert.

Add *.titanfile.com

Option #2a

You may wish to continue inspecting HTTPS traffic, but enable CSE downloads. For this we need to add a whitelist rule to the Gateway Anti-malware settings. This will prevent the progress page from running, allowing CSE file downloads. In the Policy page, select “Gateway Anti-Malware” and select “URL Host Whitelist” under “Bypass scanning”.

Add “*.titanfile.com”

Option #2b

You may wish to still allow websocket traffic without whitelisting all TitanFile traffic. Follow the steps at https://kc.mcafee.com/corporate/index?page=content&id=KB84052&locale=en_US to enable websockets, then in the “Websocket Handling” click “Show Details” and then “WebSocket Whitelist” under “Allow Websockets for Special Sites (Client Initiated)”

Add “*.titanfile.com”

Did this answer your question?