Originial SSL Certificate Requirement on Non-Transparent Mode
-
Hello,
I would like to access https traffic and logs on my pfsense firewall that is being used for my company. In order to watch the traffic and logs, original ssl certificate is required, otherwise when non-transparent mode is clicked with fake artificial certificate, https web site can't be accessed.
Do you have any advise concerning this issue? Or can you suggest me anywhere that I am able to purchase SSL certificate for firewall not for neither domain nor IP.
Every single reply is highly appreciated.
-
No one will sell you certs singed for domains that you do not own. That's illegal. Even the USA government has a hard time getting this done.
What you can do is install your cert on all of the client machines and tell the client machines to trust your cert. This does open all of your clients to all sorts of attacks, but it's the only way to do it. HTTPS serves two purposes 1) Encryption 2) Authentication You're breaking #2. What you're trying to do is lie to the clients, claiming to be someone that you're not. Hey, I'm google.com! If you install your certs and sign every site with your cert, no one will be able to know who is the real google.com.
Some critical systems use HTTPS to for auth, like Windows Updates. There have been attacks that took advantage of HTTPS transparent proxies and tricked Windows to install malware vial Windows Update. Be prepared for the can of worms you're opening.
-
If you really need to do MITM on your users.. Then use your own CA, create your own wildcard certs or gen them on the fly for each fqdn requested, etc. Have your users trust your CA..
But as Harvy66 mentions, this is a can of worms that really should not be open.. if you have problems with users using proxies via ssl to bypass your content filtering then block those proxies.. Or block all ssl and whitelist the ssl sites that are needed to get too. It is an uphill battle for sure… But doing mitm on your users a slippery slope that really shouldn't be gone down if you ask me from many different levels.
If you can not trust your users to use the internet appropriately, maybe they shouldn't freaking have internet.. This is a better option then giving watching their traffic that is suppose to be secure..
Why don't you ask your users if they are ok with you being able to monitor all their logins and traffic to their bank accounts, medical sites, every site that they login to with an account that you will be able to see username and passwords and data that is suppose be secure between the server and their browser.. See if they are ok with that..
-
I just noticed the title says "non-transparent mode". I guess I miss-read that because so many want to use transparent mode. I am not familiar with this mode.