Filtering HTTPS
-
I understand that we can't filter HTTPS because of the Man-In-The-Middle issue or issuing certificates to all the user's PCs. However, I was just working in a Cisco ASA that had that ability without needing certificates on the PCs. How is it that they can manage it but pfSense can't? I find it odd.
-
They do not "look" inside HTTPS they only block connection to remote site by SNI. SNI is the name of the server browser initiates HTTPS connections to. This technology allows you to block users from going to a bad site, fine, but blocking users from looking on google for p*orn is impossible.
Imagine it was otherwise and you walked into internet cafe where they use cisco asa - all your banking details would be viewable without you ever noting SSL connection is bumped. Glad it is not so.
-
It works very much fine on pfSense with latest Squid versions (>=0.4.35+) and "Splice All". And yeah, you obviously do not get any content filtering.
-
I guess that makes sense. I was wondering how there was https in the options of the page and how it could view them when they are encrypted. If the hostname is sent separately, then why couldn't you do content filtering based solely on the SNI information? If it blocks bad (malicious) sites based on the hostname, why can't content filtering block based on the same information?
-
Content filtering == you can see the real content. Terminology mixup I guess. You cannot filter the content you do not see.
http://wiki.squid-cache.org/Features/SslPeekAndSplice