On the other hand, if your filtering software runs on the user's computer, e.g. Your users might not care that you're snooping their Google searches - but they will not want you snooping their online banking, for example. Even then, I'd recommend only applying it to a few specific sites that you want to filter, and to leave HTTPS connections to other sites alone. But this just means that they'll get a security alert and be unable to connect to HTTPS sites it won't help them actually bypass the proxy.Īll that said, I would seriously advise you to think carefully before using such tricks to undermine the SSL trust infrastructure, and to only do it if you feel that it's absolutely necessary. Of course, the user could remove the proxy's cert from the browser's trusted list, or just use their own browser that is not configured to trust the proxy. That way, the browser will, in fact, trust the fake certificates returned by the proxy. The trick, however, is that you, as the network administrator, need to add the proxy's signing certificate into the browser's list of trusted root certificates. Of course, since the certificate sent by the proxy to the browser in step 1 is not actually valid for the target site, and in particular hasn't been signed by a trusted CA, the browser would normally abort the connection and show the user a big alert about an untrusted certificate. It then does the same with the response from the target site to the browser. The proxy then receives the HTTP request over SSL from the browser, filters it and forwards it to the target site. Once the SSL connection is established between the proxy and the browser (which thinks it's talking to the target site), the proxy creates its own SSL connection to the target site. Whenever the proxy intercepts an SSL handshake, it doesn't forward it to the target site but responds to it directly, using its own self-signed certificate that claims to be valid for the target site. This is a somewhat tricky and intrusive technique, but some filtering proxies do support it. If your filtering software is implemented as a (possibly transparent) HTTP proxy, then the only way you can filter HTTPS connections is to do Man-in-the-Middle SSL inspection.
0 kommentar(er)
