Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Filtering HTTPS

    Scheduled Pinned Locked Moved Cache/Proxy
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stewart
      last edited by

      I understand that we can't filter HTTPS because of the Man-In-The-Middle issue or issuing certificates to all the user's PCs.  However, I was just working in a Cisco ASA that had that ability without needing certificates on the PCs.  How is it that they can manage it but pfSense can't?  I find it odd.

      1 Reply Last reply Reply Quote 0
      • S
        sichent Banned
        last edited by

        They do not "look" inside HTTPS they only block connection to remote site by SNI. SNI is the name of the server browser initiates HTTPS connections to. This technology allows you to block users from going to a bad site, fine, but blocking users from looking on google for p*orn is impossible.

        Imagine it was otherwise and you walked into internet cafe where they use cisco asa - all your banking details would be viewable without you ever noting SSL connection is bumped. Glad it is not so.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          It works very much fine on pfSense with latest Squid versions (>=0.4.35+) and "Splice All". And yeah, you obviously do not get any content filtering.

          1 Reply Last reply Reply Quote 0
          • S
            Stewart
            last edited by

            I guess that makes sense.  I was wondering how there was https in the options of the page and how it could view them when they are encrypted.  If the hostname is sent separately, then why couldn't you do content filtering based solely on the SNI information?  If it blocks bad (malicious) sites based on the hostname, why can't content filtering block based on the same information?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Content filtering == you can see the real content. Terminology mixup I guess. You cannot filter the content you do not see.

              http://wiki.squid-cache.org/Features/SslPeekAndSplice

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.