SSL Intercept

Reeko

Hi pFolks =)

I want to intercept SSL traffic for filtering content using a squid proxy server. I want to use the transparent mode, and filter the content in every device connected to my network, including mobile devices.

Pieces of Advice?

Thank you for any help you guys could get me

Gertjan

@reeko

Allow me just to turn around the question :
Do you think there is some one or something** that can do exactly that right now when you connect yourself to facebook, your bank, or other service that is considered 'private' and/or personal ?

Do you think TLS - for example 'https' - is broken at that point ?
And if it is, is this trick common knowledge ?

What will work :
On every device on your network you have to install certificates and proxy settings.
So these devices will re route all their process (programs) communication to the known proxy. All request will get collected on the proxy (squid on pfSense) - and squid will repeat the requests on their behalf. The answers will get decrypted, re encrypted and send back to the requesting devices/processes.
Not really transparent (at all).

Squid using transparent mode, intercepting TLS ?
I tend to affirm : Impossible - as users and service providers will not cooperate with you.
Last but not least : if you manage to pull this one of, there will be agencies that will hire you "at any cost". That is, when you've done your life time in prison.

Squid using transparent mode was easier to implement in the good old days when http went over port '80' and mails over port 143 110 etc.

** governmental agencies, or your ISP ?

Reeko

@gertjan

Filter content = Block unwanted traffic such as porn sites, social networks, and so on. I don't know why you are talking about "broken SSL" or suggesting some sort of hacking. I want to block some content in my network using transparent mode because filtering mobile devices is a nightmare.

I know that is necessary to push the SSL certificate through every single device in my network in order to decrypt the traffic and block what I need. My question is: If I get an SSL certificate from GoDaddy for example, could it work with Pfsense in order to use the transparent mode and avoid the browser warning when a user tries to navigate?

Thanks in advance!

johnpoz

@reeko said in SSL Intercept:

Block unwanted traffic such as porn sites, social networks, and so on

This prob better done via just dns filtering.. Vs proxy the traffic. You could still run into issues with clients trying to use doh or dot or just their own dns. But those are more easy to deal with.

While you can not get as granular with stuff like www.domain.tld/allowthis or www.domain.tld/blockthis

Without full mitm interception of ssl you can not do such filtering anyway. While you can filter on domain when client send connect to proxy.. Filtering what you don't want clients to go to is easier via just dns based filtering.

Reeko

@johnpoz Thank you for your answer.

My question remains unanswered: If I get an SSL certificate from a trusted CA such as Verison or any other, could it work with pfsense? Blocking things with DNS is not efficient at all. I can block unwanted traffic using squid and squidguard pretty easily and it works very well. The problem is to use a trusted certificate to let the users navigate and avoid browser warnings and secure connections problems. Obviously, that certificate needs to be in every single host. That is clear. How to push it? I will workaround that. My main concern is if pfsense can use a trusted certificate when the user tries to navigate. That's it.

johnpoz

@reeko said in SSL Intercept:

Blocking things with DNS is not efficient at all

I have no idea why you would think that.. Its pretty simple to grab lists or create lists of blocked stuff.

But here you go if your wanting to try it.
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
Intercept HTTPS CONNECT messages with SSL-Bump

Clients do not send connect messages when in "transparent' mode of interception of the traffic..

You could try this
https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense

Good luck.. Maybe someone else will chime that does this.. Its not a common practice for sure. I haven't actually used proxy to try and do such filtering in many years. Not a fan of any sort of messing with any ssl traffic. If was going to do it, would use explict pointing to the proxy and use sslbump..

You will have to trust your CA you create - there is no way to use a cert from 3rd party for such a thing because there is no way to create certs on the fly for www.somedomain.tld from already trusted CA.. So devices that can not be set to trust your CA will not work..