Is Squid AV now pointless?



  • I'm a newbie but recently hit what seems a problem I can't work around.

    The principle behind firewalling on the router is to give some first line AV protection to clients connected to the network.  Most websites now are using HTTPS SSL security and without SSL filtering in Squid turned on, there is very little AV protection.

    So I enabled Squid SSL filtering and went off to test the filter using EICAR test download files. HTTP comes back with the Squid virus warning but HTTPS comes back blocked by my browser. In fact I can't browse any (most) HTTPS sites at all!

    I have a couple of PCs running Windows with latest Firefox browsers. My next step was to export the certificates from pfsense and install them in the Windoze root cert folder. Firefox still blocks but Win IE Explorer doesn't. That's because IE uses the Windows root cert depository but Firefox doesn't. I'm already realizing that any PC connected to my network would have to be 'customized' because the Squid SSL filter is 'man In the middle'.

    Not to be fazed by failure I tried to import the cert file generated by pfsense into Firefox but no go because FF requires both the cert and the key in a password encrypted file. Off I go to install openSSL to create the correct file format from the key and cert files. That didn't work either, Firefox now accepted the certificate but shows two certs for each site it blocks - first is the site cert. followed by the pfsense exported cert.

    OK some may say that's a Firefox security issue (for which there doesn't seem to be a work around or disable option) But having to install certtificates on local machines doesn't seem that clever either. Is anybody using Squid SSL filtering successfully on PCs with Firefox browsers, or have I gone wrong somewhere?

    Thanks


  • Banned

    No problems with FF whatsoever, see instructions at https://docs.diladele.com/administrator_guide_5_1/https_filtering/install_certificates/win_ff.html
    May it be you forgot to check the "Trust this CA to identify websites" ?



  • I've spent hours on this and you have now helped me make this work! What I did wrong was import the certificate into FF 'Your certificates'  when I should have imported into 'Authorities'  where I can then see the edit trust options in the popup. Another confusing area is the filename, issuer name, Cert name and other names which are used differently when looking at the Windows and FF cert stores. You can't find it when it is there under one of the names.

    Diladele confused me but I can now see it was used as an example of a CA import.  I am using pfsense to generate and export the squid server cert which I then put in the Windows root cert location. However, the cert file as is, is not FF compatible, so you have to export it from Windows using the 'Crypto message standard PKCS #7' then import into FF on the Authorities tab and select the Trust options. There is supposed to be a way of FF linking across to the Windows root cert list and using that, but I couldn't get it to work. I haven't tried deleting the FF cert8.db file to see what gets created.

    Thanks a bunch for your help. I assume I now have to patch the new cert into any machine running FF on my local network?



  • I wanted to run my wifi AP through the pfsense box to use its routing, firewall and site blocking. iPads and Android pads leak so much data I wanted some control over portable devices and also see just what was going out and to where. I think most just allow wifi portable devices through a DMZ, but it is these and home router connected devices - smart TVs + everything now coming with a network connection that concerns me as I have no confidence in the cheap hardware router supplied by the ISP, which doesn't offer firewall logging through its API. I have reliable rock solid software AV, Firewall and Malware apps in local PC's which I'd hoped to replicate in a pfsense router. By enabling SSL filtering (which seems essential for most websites now) I bring on a new bunch of problems with my server cert being required in each device with different browsers and they don't all use the same cert file types. Oh so much pain to learn and use openSSL!

    With your help I did get SSL filtering to work, but it seems impracticable in a home network environment with different devices, some permanent and others 'visiting', to use it. It looks like I'm still stuck parsing web content for threats after it's been checked for valid certs by the browser.  I can see why browsers are removing options to disable certs, because whilst this might be o.k on the end of an SSL proxy filter, moving the portable device to another network leaves it wide open to exploits.

    Does SSL filtering have to be enabled to white and black list sites e.g for parental control? I already have some control through an openDNS account but prefer to do it in pfsense and use my VPN DNS servers?


  • Banned

    The SSL transaction usually begins with the client sending the server the indication of the domain name it needs to connect to (google for SNI).
    If you are or with allowing/blocking the whole transaction to that domain name - then no you do not need to install your proxy cert to your devices. The transaction will either be allowed/denied as a whole and that is it. Sometimes it is enough.

    But if you need to see what is on the wire in the SSL connection, like when you need to take a look/block search results on googe (as opposite to blocking google as a whole) then installing cert is inevitable. And it is good so. Imaging you were able to look into SSL transaction without certificate? What would prevent you from looking into my banking operations when I joined your wifi from my iphone? Now reverse you and me and you got the idea.

    OpenSSL is perfect software :) nothing to complain.



  • Thanks, I did some more work and it seems some issues are with the FF browser. I cannot detect a virus test file from an SSL site without a certificate for Squid  M-in the-M to work. Windows and Chrome browsers use the integral certificates and these can easily be exported to other windows machines. Apple OS seems to just put up browser cert warnings which you can ignore. Android have their own way of importing certs so it all becomes rather messy and unworkable for 'guest' devices not tethered on my small network. However, FF latest releases with their own cert file store now block with no option to accept. Even with a cert. in the FF store it seems more prone to throw out a cert error. I don't think Squid AV at the router lever can replace AV software on the clients which is what I had hoped for.

    I can run without Squid SSL AV using the Splice All option, which as I understand it will allow me to use Squidguard for filtering? Most sites I use were happy with spliced certs except one which always threw cert errors in FF. I looked at the TSL and it was the only site using 256bit + 384 (?) encryption. FF was rejecting as 'cert longer than expected'.whilst Explorer and Chrome were ok with it.


  • LAYER 8 Netgate

    I would consider SSL MITM to be more dangerous than any potential viruses - at least in my environment here.

    Even (perhaps especially) if the SSL MITM was done on the client.

    The A/V software makers do not have a very good track record in that department.



  • I still have issues with Squid SSL proxy filtering and after some searching discovered several threads in which some claim to have fixed the SSL ERROR 92 issue when visiting some sites. I now realize I have to self test my pfsense setup for rules and blocking after finding some proposed fixes which whilst enabling Squid SSL filter, left Squid not filering at all! The same was true of SquidclamAV and testing if DNS cache was actually working or not. Here are my simple tests:

    1. Squid SSL filter ERROR 92 website blocked.
    https://ami.com

    You need this site for important BIOS files!

    2. SquidclamAV HTTP & HTTPS anti virus;
    http://www.eicar.org/download/eicar.com

    If you can download the SSL test file your Squid SSL filter is broken!

    3. Ad blocking with pfblockerNG (e.g Cameleon) disable local browser Adblock:
    Try www.008.free-counters.co.uk

    If you get their server page, Ad blocking isn't working. If the page is black, it's working.
    Download and save the txt files for your DNSBL feeds, extract sites in the list and test they are blocked.

    Also try www.aol.com - plenty of ads there to block.

    4. Is squid proxy server cacheing after initial setup?
    From the pfsense box console option 8 shell:

    du -sh /var/squid/cache/00

    Check the folder size, browse to sites you haven't been to, resend the above command. If the folder size increases, squid proxy cache is working. Browse back to sites you have been to, resend the command line and check the folder size hasn't changed.

    I still can't get Squid SSL proxy filtering to work for all sites, whilst correctly rejecting the eicar.com SSL download. It isn't related to local browser CA because the error screen comes from Squid.  Any suggestions please or am I a muppet?


Log in to reply