GENERAL
      Back to home
      1. Safetica Knowledge Base
      2. SETTINGS
      3. GENERAL

      🆕💻On-premises Safetica: SSL certificate validation

      âť—For now, this article applies only to Safetica hosted on-premises.

      Introduction

      Safetica can perform SSL inspection (“look inside” encrypted web traffic) to stop data loss and block fake websites. Part of this includes checking SSL certificates, which are used to verify if a website is legitimate and secure.

      This setting affects the protected devices (with installed Safetica Client), not Safetica server.

       

      SSL certificate validation modes

        In Settings > General > SSL certificate validation, you can choose how strictly Safetica approaches SSL certificates. There are two SSL certificate validation modes:

        • Moderate (default): Blocks dangerous websites while allowing minor security issues. This mode balances security with practicality and keeps day-to-day work running smoothly.
          • ❌Blocks:
            • Dangerous websites with forged or fake certificates.
            • Websites with expired or revoked certificates.
          • âś…Allows:
            • Websites with self-signed certificates (common in company intranets).
            • Older websites with weak encryption.
        • Strict: Blocks ALL websites with certificates issues. This mode provides maximum security but might block legitimate websites.
          • ❌Blocks everything that is not fully trusted - including:
            • Dangerous websites with forged or fake certificates.
            • Websites with expired or revoked certificates.
            • Websites with self-signed certificates (common in company intranets).
            • Older websites with weak encryption.
            • Untrusted certificates (even legitimate internal ones).

        Examples of mode behavior:

        Scenario

        Moderate (default)

        Strict

        Website with expired/revoked certificate

        ❌Blocked

        ❌Blocked

        Man-in-the-middle attack using a fake certificate

        ❌Blocked

        ❌Blocked

        Company intranet with self-signed certificate

        âś…Allowed

        ❌Blocked

        Website with only weak/old encryption

        âś…Allowed

        ❌Blocked

         

         

        FAQ

        Q: I visit a website whose certificate expired yesterday. Will it be blocked?

        A: Yes. Websites with expired or revoked certificates are blocked in both Moderate and Strict modes.

         

        Q: What if an attacker uses a fake certificate to impersonate a website (man-in-the-middle attack)?

        A: Safetica will block the website in both Moderate and Strict modes to protect your data.

         

        Q: My company has an internal website with a self-signed certificate. Will it work?

        A: It will work in Moderate mode, but it will be blocked in Strict mode.

         

        Q: What happens if a website uses outdated encryption?

        A: It will be allowed in Moderate mode but blocked in Strict mode.