Another SSL Error Post



  • Hi,

    Yes, I know there are a ton of these but I can't find anything recent so am looking for an update...

    Is there any way as yet to get around the SSL error with the DNSBL other than turning off logging to redirect to 0.0.0.0?

    Not sure why they can't be redirected to a page on the pfBlocker server showing the error and where they came from so they know which page is blocked? Why does it have to show an SSL error on the blocked page?

    Thanks.



  • It's all about the very nature of TLS/SSL.
    HSTS does not make things any better.

    Just know this first : what TLS/SSL is, what this means https://....... What these certificates are actually doing. And I mean, really know the why and what.

    The HSTS add's a possibility to your browser so it knows that, example, certificate using "microsoft.com" can never ever be used in relation to a web server that is not addressable at "microsoft.com".
    It boils down to : when the browser want a page from "microsoft.com", it will never accept info from a site that is not "microsoft.com".
    The web page that " pfBlockerNG " tries to show you isn't from "microsoft.com" - and no one one planet earth can fool the browser any more so that it thinks it is. It's about security and so ^^



  • @Gertjan said in Another SSL Error Post:

    ser so it knows that, example

    Hi @Gertjan

    I understand that, but why can pfBlocker not intercept this and simply redirect the user to a locally hosted page instead that says the previous page has been blocked? It already displays a custom page using the requested URL, it would just need to show the same page but on a redirected URL instead.

    Cheers.



  • Ok.

    Lucky you, I have 5 minutes.

    Here we go:

    A web page contains a publicity, like
    https://serverfault.com/questions/1000126/set-up-multicast-route-across-a-middle-hop

    You see the :

    6c6e200c-39d5-407d-9b52-9213126a8331-image.png

    Let's inspect.
    It's a whole bunch of html coming from :

    <i frame style="border: 0px none; vertical-align: bottom;" src="https://tpc.googlesyndication.com/safeframe/1-0-37/html/container.html" id="google_ads_iframe_/248424177/serverfault.com/lb/question-pages_0"
    

    Note : it's an iframe, loaded "as a new page" but in place, in the existing page / browser tab. These can't be redirected, and the loading is handled by embedded javascript.

    The info, a pub, comes from googlesyndication.com and the transmision is done over https.
    So, the certifcate that comes from "googlesyndication.com" - where ever that points to, should say it's "googlesyndication.com".
    Or, the IP isn't from "googlesyndication.com" - because that URL is blacklisted by a feed you are using with pfBlockerNG.
    My Resolver was load with this info

    local-zone: "googlesyndication.com" redirect local-data: "googlesyndication.com 60 IN A 10.10.10.1"
    

    ( this is what pfBlockerNG is all about )

    So it points to 10.10.10.1 or wherever your "DNSBL Webserver Configuration" is pointing to.

    And, while "DNSBL Webserver Configuration" is using https and thus sending a certificate, it will not send a certificate that says it is "googlesyndication.com".

    Amongst other, my browser detects that it is a self signed certificate, so it rejects the content. Bye bye the nice "DNSBL Webserver Configuration" placer-holder web page.

    pfBlockerNG could have been using a really trusted certificate - I have those on my pfSense, but still, my browser would know it isn't "googlesyndication.com" that is answering.

    I could have my generated a "googlesyndication.com" certificate on the fly, as soon as I can proof that I'm the owner of "googlesyndication.com", but I'll be having a hard time doing so.

    And even when I pull that one off, my browser is caching certificates, and knows that the new "googlesyndication.com" I just created isn't what it has seen before. This is HSTS is all about.

    @Daskew78 said in Another SSL Error Post:

    I understand that

    You understand now do you do not / did not understand what happens.
    Good news : I guess I thrown you on the right track. Now apply : "There's a difference between knowing the path and walking the path.".



  • @Gertjan Okay so put simply, it's just not possible ☹

    Thanks anyway :)


Log in to reply