Post

Replies

Boosts

Views

Activity

Reply to User Agent no longer present on CONNECT requests starting from iOS 15
This is Symantec's article letting customers know that the User-Agent policies will no longer work, and that a workaround is not available. https://knowledge.broadcom.com/external/article?articleId=223857 In my opinion it's unfortunate (for admins and users alike) that those required to monitor web traffic are now being forced to decrypt (or block) all network traffic originating from iOS 15+ devices due to a change that (from the early posts in this thread) appears to have been unintentional.
Oct ’21
Reply to User Agent no longer present on CONNECT requests starting from iOS 15
This is an interesting issue. Just catching up, but it sounds like this was done inadvertently but that Apple is "disinclined to fix this because the user agent string is a potential source of personal information."? I personally feel that not fixing this inadvertent bug is a mistake and is likely to expose much more sensitive personally identifiable information than anything I've ever seen in the User-Agent header. There are multiple organizations that either opt to or are required to intercept SSL/TLS requests to inspect traffic for malicious code or inappropriate use. In order to aid with preserving privacy many of these organizations will only match specific user agent headers in the HTTP CONNECT request (i.e. for web browsers) in order to avoid decrypting other potentially sensitive information and/or breaking communication for apps that are using certificate pinning. By removing this header in HTTP CONNECT requests it will mean these organizations will start attempting to decrypt and inspect ALL traffic going through these proxies. This will likely break communication for many apps using certificate pinning and unnecessarily expose potentially sensitive information that the organization (or school, as there are many state laws requiring this type of monitoring) would have preferred to remain private. Ensuring this header is present (and contains the User-Agent information for the app making the request) will protect sensitive personally identifiable information in addition to ensuring apps utilizing certificate pinning will continue to work unhindered. Please reconsider your position on this issue. Thank you!
Sep ’21