How to deal with apps when using transparent https proxy

  • Hello guys:

    I'm running pfSense 2.2.4 with a transparent https proxy configuration (Squid + SSL intercept) which is working pretty fine. After importing CA certificate in browsers (IE and Firefox), browsing most of HTTPS sites loads without issues (there are some exceptions).

    However, I'm finding difficult to deal with desktop applications such as Google Drive, Dropbox, Windows and antivirus updates which not work fine. I believe this is due to SSL certificate not being recognized.

    If these apps don't provide a way to import a CA certificate, which is the best alternative do you recommend?

    Initially as a workaround, I instructed users to use "manual proxy" in IE but I'd like to stop doing that.

    Another way I did is exclude (for instance) from transparent proxy by adding each public IP address that resolves to such domain. This can be rratic in the meantime and also very tedious.

    I'd like you guys to give me some ideas based on your best experience.

    Thanks in advance.

  • Banned

    I recommend to NOT use transparent HTTPS proxy at all. Will avoid your issue altogether.

  • Yes, I definitely know that the best practice would be to use manual proxy while avoiding transparent settings (http and https).

    However, I'd like to know as much as possible of every way I can deal with this kind of configuration so I can decide in which scenarios is usable, what are the common issues and what are the advantages. The idea is to make the best efforts so I can tell my clients "hey, manual proxy is the best alternative but if you want transparent proxy (http+https) you should be aware of these constraints, pro and cons…"

    Thanks for your suggestion doktornotor :)

  • Banned

    Well, if you look here then DHCP/DNS/WPAD is pretty much what's always recommended instead of transparent proxies. Since proxy-savvy apps will pick that up and the rest won't get broken.

  • Transparent HTTPS proxying breaks the authentication portion of HTTPS opens your entire network to a slew of new very dangerous attacks. Many operating systems assume HTTPS is trustworthy and will blindly accept updates as long as HTTPS claims them to be signed. If you just start signing everything that comes in, many applications will think that everything is trustworthy.

    You have been warned.

  • Ok, I understand and appreciate your comments. So I have some questions about web filtering in medium to big companies:

    • How do other companies deal with a big number of users (PCs, laptops, smartphones, tablets, etc) browsing Internet without losing control? I just can't use proxy settings on every smartphone or tablet in the company.

    • Some time ago I saw an small company being filtered by a Fortinet appliance even on HTTPS connections without receiving any warning related to SSL certificates. Any idea how is that possible?

    • If I want to have control on Web browsing over hundreds or thousands of users (e.g. an university or big school), how do you filter https? Nowadays most of websites run under https, even wikipedia!

    This certainly breaks the original topic of this post but I believe it's important to know what are the best practices on this matter.

    Thanks in advance

  • I just can't use proxy settings on every smartphone or tablet in the company.

    Why not?  Block general access to 80/443 to enforce proxy usage.  If someone wants out, they have to go through the proxy, be it via WPAD or manual config.

    Any idea how is that possible?

    It's possible in exactly the same way that it's possible for squid in explicit mode to filter HTTPS.

    how do you filter https?

    By either running squid in explicit mode, or running it in transparent mode with SSL interception enabled.  Explicit mode is a lot less work for you, and more flexible.

  • Add the ca to windows with cert manager to root ca store no need to add it to individual browsers or apps.

  • Banned


    Add the ca to windows with cert manager to root ca store no need to add it to individual browsers or apps.

    This won't work with Firefox/other Mozilla-based browsers, nor with any other (badly designed) app that doesn't use system certificate store.