I run a school network with a BYOD program in place. I have a linux proxy (squid) with content filtering by Mind (fork of dansguardian). Everything works fine over HTTP, the problem is of corse when kids start using HTTPS. My biggest issue is that Apple has switched to using HTTPS when doing a google search in safari. This allows kids to do searches without MinD forcing safe search. I would like to know what I could possibly do about this. Is there anyway to stop this? Thanks in advance for any help!
Asked
Active
Viewed 1,769 times
3 Answers
4
Squid supports a feature called SslBump using Bump-Server-First. This basically means browsers will attempt to establish a secure connection between them and the host. The Squid cache gets the intercepted connection and Squid establishes the external connection. Then completes the secure connection to the user. Squid is essentially the certificate authority for user/squid portion so it can decrpyt the traffic and cache/filter it.
As this is something the people who designed SSL thought could be an attack vector there's some bumps to get over. Squid does support dynamic cert generation so cert domains match on the client end and have some of the original cert information go through to the client. All this can go fairly seamlessly if your client devices can trust your CA certificate. That bits a little harder if people are using their own devices.
- iOS can add CA certs with the iPhone Configuration utility
Doesn't look like it's possible on the droids- Recent droids can add CA certs
- Windows/OSX of course can.
- Linux is a bit more fiddly depending on the apps you use and what they use as a key store.
The thing to note is your cache is now in control of third party trust for these devices. The information that is mimicked in the dynamic certs goes some way to mitigating this but it's possible to configure squid to blindly trust things which could be bad for the users, if someone were to do a real man in the middle attack further out from your proxy, for instance.
Matt
- 1,559
1
It is now possible to ask google to redirect secure searches to http - https://support.google.com/websearch/answer/186669?hl=en is the google help page on the subject. They suggest using DNS trickery, this can be hard in Windows 2008r2 - I personally perefer a connect-header rewrite to achieve the same goal, which can be done in all good web filters (and some bad ones).
I work for Smoothwall who provide a filter with just such a capability, and the ability to do some other SSL filtering too. I'm biased, but I suggest you take a look. When it comes to the tough stuff, it's a lot easier than rolling your own. In the interests of impartiality, there are other web filters out there :)
Tom Newton
- 4,251
0
There's not a lot you can do.. You could generate a self-signed SSL certificate for google.com, and MITM the traffic, and then you'd be able to inspect it and block as needed, except it depends how wiley the kids are, and whether they'd fall for the process of accepting your self-signed certificate.
It's also probably illegal. You could block HTTPS traffic entirely, but that'd probably break all sorts of things.
Tom O'Connor
- 27,578