Squid Certificate

  • How to i payed signed certificate so i won't need to install in every browser the certificate in a transparent squid https blocking.

    Thanks in advance.

  • You can't. The whole point of HTTPS is not just for privacy, but also verification. Nearly every government in the world is trying to break HTTPS to do what you want to do.

    The best you can do is make a fake CA and tell all of your clients to trust that CA by installing the cert on each client. Of course this means you need access to each client to install the cert. This is also an attack vector. Because you're the one signing the HTTPS connection, you are now responsible for making sure the connection is valid. There have been attacks where the attacked would get the transparent proxy to sign their content, making the client trust the data. One such attack can allow attackers to install malware via Windows Updates. Microsoft's response to this is STOP USING HTTPS PROXIES.

    Of course few people in the industry even talk about these issues because they're not concerned with security or don't understand the implications of what they're doing. This is not pfSense specific. All HTTPS proxies have these issues, they just don't talk about them.

  • LAYER 8 Global Moderator

    Agree with Harvy66 on this… MITM is bad from every aspect.  Breaks compliance with many rules like HIPAA, PCI, etc.. While it can be done sure.. If the users of your proxy trust your CA then you can have your proxy issue a cert for any FQDN user is going to..  But this opens up a whole can of worms on many different fronts.

    Admin(s) of the proxy could then sniff what the user thinks is encrypted.. Like their login to their bank account, the sending of their CC# in an online payment.

    You can filter traffic based upon the dest FQDN without having to do MITM attacks against the https.  So if you don't want your using going to www.shopping.com while they are at work you can do that.. But you don't have to break their end to end https connection to do it.  You can do this because the client sends the fqdn they are trying to go to in the clear so the proxy can see it.

    What you can not do is filter on the full URL... So while you could say block https://www.facebook.com you couldn't say allow https://www.facebook.com/something while blocking https://www.facebook.com/otherthing  You would only either allow facebook.com or block it you can not get specific with the full url like you can with http traffic.  Do do that full url filtering you would have to do ssl bump.. or mitm attack against your own users..

    This is not something I would suggest you take lightly if thinking about doing such a thing.. Its bad juju all the way around.. But if you have your heart set on it - there are plenty of guides out there how to do it on pfsense..  But think long and hard before opening up that can of worms, would be my advice.

Log in to reply