Logging HTTPS Web Sites
-
It used to be possible to use SQUID to log all website (including https) URLs visited by users.. easy instructions were here : https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense
However, (despite installing certificates on my computer), my Chrome browser still throws up warning when I try to visit https sites..
Is there still a way to do this, or are browsers too security conscious now ?
Thanks
James -
R rcoleman-netgate moved this topic from General pfSense Questions on
-
@inghaj the cert is installed in the trusted root store (assuming we're talking about windows)
You verified its the same CA cert thats on pfSense as well?
Have you tried another browser - FF for example?
Windows devices are pointing to the firewall as proxy? -
@inghaj said in Logging HTTPS Web Sites:
still throws up warning when I try to visit https sites..
what is the warning exactly? Can you post a picture of the error your seeing?
-
Like others are mentioning I think we need a bit more info to properly help here.
I will say that Chrome semi-recently started using it's own certificate store instead of the local one, however it's supposed to still add certs from your devices local cert authority list per: https://support.google.com/chrome/answer/95617?visit_id=638264549969026999-3286720105&p=root_store&rd=1#root_store&zippy=%2Cmanage-device-certificates-on-mac-and-windows
But I suppose it's possible there is some kind of bug with this currently? Just taking a guess assuming everything else is actually in line.
-
@inghaj said in Logging HTTPS Web Sites:
Is there still a way to do this, or are browsers too security conscious now ?
When you instruct your browser to talk to "microsoft.com" it has ways to detect if there is a MITM, aka your squid.
Your browser and "microsoft.com" agreed that they don't want a MITM, to protect the end user. And because it defies the usage of TLS (https).
This time it's you, next time it's the neighbor, or the government, or any 3 letter agency, and so on.Meet HTTP Strict Transport Security
Btw : If you find a way around this, you'll be very famous.
I'm not sure if you become 'rich' but one thing is sure : your 'quality of live' will strongly degrade, as there will be many coming after you as you are the one that broke world's economy (a Internet can't be used anymore for trusted transactions).@planedrop said in Logging HTTPS Web Sites:
I will say that Chrome semi-recently started using it's own certificate store instead of the local one
It probably has a build in list with sites 'not to mess with' == known HSTS sites.
