Aren't you mixing up Web Security with Email Security? 5.5.1 is available for Email Security, however not (yet) for Web Security where 5.2.0 is the latest available version. Right?

You are right, sorry for my mistake! :oops:

5.5.0 is available, but is a very limited release, being that it just finished the Beta process.

We currently do not yet have an ETA on a fully public release.

What does 5.5.0 fix from the current version? What new features does it enable? Thank you.

The list of resolved bugs will continually evolve until the general release of 5.5.0 (probably sometime in Q2 CY08).

As far as new features, the most notable new feature in 5.5.0 will be the addition of HTTPS traffic inspection.

-Jason

Dear Jason,

Can you briefly explain how does WSA perform HTTPS termination and inspection?

Thanks,
ezekiel

Ezekiel,

The short explanation is that the WSA executes a typical man in the middle SSL attack.

The WSA initiates SSL sessions with both the client and the server. After receiving the certificate from the server, the WSA generates it's own certificate and serves it to the client.

Since the certificate used to generate server certs is not trusted by the browsers, the browser will receive a trust warning. You can get around this by loading the CA cert into the clients on your network.

Just to make that a little more visual:

Client <- SSL Conn 1 -> WSA <- SSL Conn 2 -> Web Server

Since the WSA is in the middle of these SSL connections, it can see the traffic unencrypted, but you still maintain SSL security across the Internet and LAN.

For any sites with highly sensitive information (such as financial sites), you will also have the ability to set these categories to Pass-Through, so the WSA will not decrypt these connections.

-Jason

Thank you Jason and Josh.

Regards,
ezekiel

Thanks...