We released LiveStream 5.3.0 last week and the full release notes are over on the Knowledge Base. But there’s one important change we wanted to highlight in detail.
The proxy technology we use has improved so we can now transparently filter HTTPS traffic without the client installing any certificates. This new method is called Splicing. While this simplifies on-boarding for your users, it has one notable disadvantage, albeit one we’re used to from explicit proxies:
The proxy can only parse the domain name — the URLs clients request stay encrypted.
This can be a problem for schools as sites like wikipedia.org are now encrypted. Unless the proxy decrypts and inspects the HTTPS traffic, it can’t know which specific articles are being accessed.
Your Decision
Now that the technology allows us to do equivalent HTTPS filtering on both explicit and transparent proxy modes, you’ll need to ask yourself this question after you update:
Is revealing the URL paths of HTTPS sites worth the need to install and trust a certificate on every client?
Depending on how easy your network makes it to roll out self-signed certificates to managed devices, this might be simple. If so, you can toggle HTTPS Inspection back on in Setup -> Proxy after you install v5.3.0.
Or, just do nothing and start enjoying the simplicity of Splicing. Your users won’t be interrupted and HTTPS traffic will be filtered by the domain name only, just like it currently works for clients using the proxy explicitly.
Filtering HTTPS traffic is a complex topic, but we're striving to simplify it as much as possible with LiveStream 5. If you need any help or advice shoot me an email at [email protected].