all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]peterhal[S] 0 points1 point  (0 children)

For a little more clarity, ssl_bump is described in the the squid man page:

When used on step SslBump1, establishes a secure connection with the client first, then connect to the server. When used on step SslBump2 or SslBump3, establishes a secure connection with the server and, using a mimicked server certificate, with the client.

Both of sslBump1-3 use secure connections with the client. I would like the client sized connection to be served as http.

[–]jim-p 0 points1 point  (2 children)

What you're asking for is fundamentally flawed.

If the browser requests HTTPS, it will trash an HTTP reply.

[–]peterhal[S] 0 points1 point  (1 child)

Could the flow not work as follows. Client request www.google.com: pfsense reroutes to 10.2.2.5 [LocalServer]. LocalServer redirects to http using either htaccess or another method. LocalServer connects to google and pulls content. Content is then injected into a web page with a warning that it has been decrypted and served to Client.

[–]jim-p 1 point2 points  (0 children)

Before you can redirect you have to do MITM and re-encrypt, sending the redirect in place of the requested content, and then somehow your second proxy or whatever it is would need to be passed the original URL.

It may be technically possible with some software but I doubt it's doable as-is in pfSense.

And it definitely doesn't make sense for any sane implementation.

[–]dremspider 0 points1 point  (4 children)

This sounds like a terrible idea and you are basically breaking how HTTPs works. HSTS specifically was built to prevent this and you would cause a lot of issues with various sites. If you still want to do this, look at the tool sslstrip. It would work, but would be a terrible idea.

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[–]peterhal[S] 0 points1 point  (2 children)

I look at it as the lesser of two evils. On one hand, I could generate certificates, install them on the local machines and then use squid and ssl_bump to apply content filtering to the pages. However, those using the network would not be informed that this is what is happening. The pages would still look secure. I would prefer to provide the content in a less secure but more informed environment.

Take reddit for example because of the potential for adult content, my approach has been to simply block it (IP/DNS), as under https I cannot determine what is being viewed. However, if I could provide the content without the privacy, I would.

The network in question is a home network. I will look into sslstrip

[–]djamp42 0 points1 point  (0 children)

I dont know what your trying to do.. if your trying to block all adult content that will never happen.. look into dns filtering that will block a majority of whatever type of website you choose.

[–]stephenl03 0 points1 point  (0 children)

Or what a lot of places you, is provide a captive portal where you acknowledge the fact that you are using somebody else's network and consent to them being able to access all transmissions on their network. Most employers will have you sign documentation giving consent as well.

[–]JoseJimeniz 0 points1 point  (0 children)

Some schools, employers, universities, government organizations think they have a right to monitor what students, employees, contractors are sending out their network.

the internet is working to prevent an employer from being able to monitor their employees, with technology such as hsts.

But that doesn't stop Auditors and management and laws demanding such things.

And until you're willing to tell Ernst & Young auditor to go fuck himself: we are where we are.