Pfsense Squid SSL Intercept Some sites have issues

doktornotor

1/ If you install EMET, IE will use certificate pinning for similar sites.

Other browsers use pinning already for high risk domains:

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

2/ Squid 3.4 branch does not handle SNI.

3/ Finally, and most importantly - you are breaking HTTPS and replacing original certificates with MITM crap. If you have issues with that - do yourself and your users a favor and stop using similar misfeatures.

qwaven

@S.:

Could you try it in another browser ?

Does anybody know if Internet Explorer use certificate pinning for sites like facebook ?

Thanks for the reply S. Kirschner. I should have mentioned that I had tried this in different browsers. I believe I get similar results using Firefox.

On YouTube I will see in replace of where the advertisement is:


This Connection is Untrusted

...etc...

Cheers!

KOM

I found squid in transparent mode far too much of a hassle with endless glitches. Made it explicit and now I have no problems.

qwaven

@doktornotor:

1/ If you install EMET, IE will use certificate pinning for similar sites.

Other browsers use pinning already for high risk domains:

https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

2/ Squid 3.4 branch does not handle SNI.

3/ Finally, and most importantly - you are breaking HTTPS and replacing original certificates with MITM crap. If you have issues with that - do yourself and your users a favor and stop using similar misfeatures.

Hi doktornotor,

Not totally clear on what this is EMET? Though since pinning seems to already be enabled in other browsers I don't think this will solve my issue. ?

3/ Yes I am aware MITM is breaking SSL. However how else can one filter https traffic?

Cheers!

qwaven

@KOM:

I found squid in transparent mode far too much of a hassle with endless glitches. Made it explicit and now I have no problems.

Hey KOM,

I'm not using transparent mode. I'm entering the info into my browsers proxy settings in order to enable using the proxy server.

Cheers!

KOM

If you're not running transparent, why are you talking about certificates? No certs required if you're running explicit.

qwaven

@KOM:

If you're not running transparent, why are you talking about certificates? No certs required if you're running explicit.


Select Certificate Authority to use when SSL interception is enabled.
To create a CA on pfSense, go to System -> Cert Manager.
Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection.

I was under the impression that I needed to intercept ssl in order to be able to filter sites that us it?

qwaven

Wow I feel a bit silly now. Seems to be working better now without the SSL stuff turned on. :)

Thanks!

However is there anyway of getting rid of these type of pages? Using Youtube again as an example…

See attached image.

I've already got the options:


Clean Advertising	
Check this option to display a blank gif image instead of the default block page. With this option the user gets a cleaner webpage.

and in my blacklist ads are set to deny

Cheers!

youtube2.PNG_thumb

KOM

No idea, perhaps your install is borked somehow by the configuration you chose. You're making progress though. Does it do this for all blocked ads?

qwaven

@KOM:

No idea, perhaps your install is borked somehow by the configuration you chose. You're making progress though. Does it do this for all blocked ads?

It appears so far, yes.

KOM

At least now it looks like a squidguard issue. If you turn off all blocking, do the ads appear normally? Post screens of your squidguard settings.

OK I just tried it and get the same result. I can't immediately figure out how to prevent it.

qwaven

So I'm still baffled.

I've checked around online for various peoples tutorials on install SquidGuard 1.4. They all seem to imply there is a blank.gif image that is used. However when I check the actual package for 1.4 (from SquidGuard) it does not contain this.

I did find a blank.gif on a Github site for SquidGuard Adblock and was trying to get this working but nothing I do seems to work.

I mainly tried changing the redirection URL to point to the gif which I uploaded to my pfsense box. Still nothing.

Starting to think that the "error" I see is potentially not related to the adblock. It does say:


Can't establish a connection to the server at ad.doubleclick.net.

Anyone have any thoughts? Suggestions?

Cheers!

qwaven

Anyone?