Blocking ads (SSL) with Squid3 + pfBlockerNG?



  • Just got my pfsense box setup the other day. So far i'm loving it but haven't done any advanced setup yet. The first thing i want to do is to block ads at pfsense rather than having to run ublock origin or anything like that. Its especially important because of the limited ad blocking abilities of a lot of mobile devices. From my research it appears people generally use pfBlockerNG for this purpose. What i don't see being discussed though is most sites are going SSL. So a lot of ads are going to be coming across encrypted. I know you get setup squid3 as a transparent  proxy and create a self signed cert that you would have to install of whatever device i plan to use on the network. To be honest in the end i'll probably try to setup something so if you don't have the cert installed then you won't have internet access. I also want squid to be able to do its job of proxying SSL traffic.

    More importantly, what i don't k now, is can pfBlockerNG use the traffic that squid3 had decrypted so i can block ads that come across on SSL? Hopefully it can.

    I'm also hoping pfBlockerNG will be as good as ublock origin in that whatever definitions it uses are good and it will automatically download them and update without me having to do a thing



  • HTTPS proxies are bad ideas. There have been attacks over the years that take advantage of the proxy blindly signing content. HTTPS is not just about encryption, it's also about authentication and you break that with a proxy. One big scale attack affected Windows because Windows Update uses HTTPS to authenticate, allowing a relatively simple internal attack to confuse the proxy and have the proxy claim the data came from Microsoft. While your client device has been told to blindly trust the CA your proxy signs as. Windows just blindly installed the "updates" which were malware. Microsoft's response. HTTPS is a bad idea and breaks Internet security, you deserve what you get, working as designed.

    That is only one example. Don't do it, it's a bad idea. There are many services that use HTTPS certs to decide if a site should be trusted, not just for web browsing, but also for system maintenance.



  • @Harvy66:

    HTTPS proxies are bad ideas. There have been attacks over the years that take advantage of the proxy blindly signing content. HTTPS is not just about encryption, it's also about authentication and you break that with a proxy. One big scale attack affected Windows because Windows Update uses HTTPS to authenticate, allowing a relatively simple internal attack to confuse the proxy and have the proxy claim the data came from Microsoft. While your client device has been told to blindly trust the CA your proxy signs as. Windows just blindly installed the "updates" which were malware. Microsoft's response. HTTPS is a bad idea and breaks Internet security, you deserve what you get, working as designed.

    That is only one example. Don't do it, it's a bad idea. There are many services that use HTTPS certs to decide if a site should be trusted, not just for web browsing, but also for system maintenance.

    Yep i'm versed in all this. I'm not a cryptographer by any means but i'm definitely use encryption daily in my job as a programmer. There is no other way. Either you peer into SSL/TLS (MITM) or you remain ignorent  to possible stuff on your network. In the end i will be using the ability to decrypt for a lot of other things like virus scanning, web filtering, ect. Especially considering with the rise of letsencrypt. In a few years how many things will use http anymore? I'm thinking not a lot.  Yes SSL/TLS is just not about encryption but authentication. If anyone is on my network they must trust me :). They only people that really will trust my cert would be the people on my network since they will only be the ones that have the cert install into their machines.

    The attack your talking about sounds like they had issues on their internal network. Yes it will appear it comes from microsoft.com but if you look into the cert trust chain you will be able to see it was resigned (in my case with my cert).

    In the end any i think most businesses will end up doing this if they care  about their network and the security of their data. Yes the SSL system right now is bad. Unfortunately you have to put your trust in CA but its all we have



  • @Harvy66:

    HTTPS proxies are bad ideas. There have been attacks over the years that take advantage of the proxy blindly signing content.

    You mean "transparent HTTPS proxy with SSL-Bump" isn't it?  ???

    Because HTTPS proxy with explicit proxy without MITM (SSL-Bump) doesn't exhibit behaviour you (rightly) describe  ;)


Log in to reply