Cato Networks acts as a man-in-the-middle to serve block pages for HTTPS websites even when TLS Inspection is disabled. This means that when browsing to an HTTPS website that is blocked, users will see certificate warnings if the Cato Certificate is not installed on their computer or browser.
The screenshot below shows the warning that Firefox displays when https://facebook.com is blocked and the Cato Certificate is not installed.
Install the Cato Certificate on users' computers and/or browsers to prevent certificate warnings. For instructions, please refer to our article How to install Cato's certificate.
The screenshot below shows the block page displayed in Firefox for https://facebook.com after installing the Cato Certificate.
When an HTTP website is blocked by policy, Cato is able generate the block page with a HTTP 403 response following the client's HTTP GET method.
The same method is not possible when an HTTPS website is blocked, however, because all traffic between the client and server is encrypted.
Therefore, in order to serve the block page for HTTPS websites, Cato acts as a man-in-the-middle. Cato is able to detect that an HTTPS website should be blocked prior to the TLS handshake, so it intercepts the Client Hello and completes the TLS handshake with the client. Cato is then able to decrypt the incoming GET request and serve the block page.