Search squid archive

Re: Http works HTTPS gives cert errors. No errors in logs.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think "Blocking HTTPS-based sites" needs to be added to the FAQ:

Blocking HTTP is easy because the HTTP protocol has well-defined
response codes to do this.

HTTPS actually is SSL-wrapped HTTP and SSL does not allow any kind
of interference, redirection or manipulation and cannot be blocked like
HTTP is blocked.  You might say "but we have sslbump!"  Sslbump is
a man-in-the-middle attack which can be masqueraded by added a
fake root certificate to all browsers.  The downside is that the HTTPS
sites are not secure any more since the Squid administrator has access
to the decrypted content when Sslbump is enabled.  So SSL has a benefit
and a security issue.  It is up to you to decide whether Sslbump is
appropriate for your environment or not. Sslbump in Squid 3.2
brakes Skype and other protocols using port 443, but I do not know
for sure if this is still the case for version 3.3 or 3.4.

Having said all this, HTTPS *can* be blocked, but not as elegantly
as HTTP can be blocked.  When a HTTPS URL is redirected or the
network connection between the browser and Squid is terminated, the
URL is effectively blocked and the end user has a vague message in
the browser like "cannot connect to server/proxy".
ufdbGuard, an alternative for squidGuard, by default redirects a
blocked HTTPS URL to https://blockedhttps.urlfilterdb.com which
has a valid SSL certificate and therefore normally gives a
slightly more comprehensible message "I do not trust the SSL
certificate" error in the browser of the end user.  The fact that
the new URL is "blockedhttps.urlfilterdb.com", is a hint to the
end user what is going on.  In case that the end user ignores
the SSL certificate warning, the end user will see a readable
"Forbidden" message.

Note that the issue with blocking HTTPS-based sites is true
for _all_ web proxies simply because SSL does not allow redirects.

Marcus



On 10/18/2013 05:20 PM, Derek Pinkston wrote:
Maybe someone can answer this for me so I can definitively determine
if Squid is still right for us. We have used squid and squidguard for
years to block sites for parts of our company and restrict total
access for other parts.  However now that more and more sites are
using https by default, the users who should not be surfing the
internet are surfing through https...  I thought that the newest
versions of squid would easily remedy this, but so far that does not
seem to be the case. Can squid+squid guard monitor and block https
traffic without having to install certs on individual
computers/browsers?  I want this to be as un-intrusive as our previous
setup was.

I thought I read it was possible but I'm having an impossible time
finding an article or wiki or anything that will tell you exactly how
to accomplish this. Can anyone please help or suggest something that
may work for my situation.






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux