Why StarLeaf does not allow HTTPS inspection
Managing Troubleshooting StarLeafLast updated January 19, 2021
To allow the StarLeaf Cloud to be as secure as possible, StarLeaf endpoints do not support the use of HTTPS inspection.
If HTTPS inspection was supported, then that would prevent StarLeaf from being able to check the identity of endpoints and would therefore create a security risk for StarLeaf as people would be able to connect untrusted endpoints to the StarLeaf Cloud. For this to work securely, the inspecting proxy would need to create a new certificate signed by StarLeaf on the fly for each endpoint connecting via the proxy or have set up as many certificates as endpoints (and that is not a scalable solution). Again this would add risk in that StarLeaf would need to trust every customer not to use the certificates generated by the proxy in a malicious way.
StarLeaf endpoints check the identity of the servers they are connecting to. If there was a proxy in the middle, the endpoints would need to trust the proxy’s certificate. Given that StarLeaf endpoints are configured by the StarLeaf Cloud and that a secure connection to the Cloud is required for configuration it would not be possible to set up the certificates remotely since the required certificates would not be in place. This would require manual configuration of endpoints and would create security concerns.
To allow StarLeaf endpoints to work, you must disable HTTPS inspection.