Professional Documents
Culture Documents
SSL Proxy
SSL Proxy
ARTICA v 4.30.000000
Page 1
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
T ABLE OF CONTENTS
Introduction................................................................................................................................. 4
The benefits of HTTPS interception .................................................................................................................... 5
Detect malware downloads: ....................................................................................................................................................................................... 5
Detect C&C traffic: ......................................................................................................................................................................................................... 5
Detect exfiltration: ......................................................................................................................................................................................................... 5
Bypass HTTPS weaknesses: ........................................................................................................................................................................................ 5
Display correctly error pages: .................................................................................................................................................................................... 5
Speed: ................................................................................................................................................................................................................................... 5
Page 2
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
SSL Interception monitor ....................................................................................................... 25
Display generated certificates ............................................................................................................................. 25
Page 3
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
INTRODUCTION
Year by year the HTTPS traffic growth and the world going to provide a WWW(s).
Thanks to innovative projects like Let’s Encrypt, adoption of HTTPS is rising steadily: in mid-2015 it was at 39%, now it’s at 51%
of HTTPS requests.
Over 90% of the world’s HTTP traffic was expected to be secured over SSL/TLS by the end of 2019.
More and more SSL stats suggest that we’re getting closer to a 100% encrypted web. Browsers with a huge market presence,
such as Chrome and Firefox, are truly putting in the effort to get us there as fast as possible. However, divergent UI policies will
probably delay the whole process and cause users to suffer in the meantime.
97% of all traffic to Google in India is encrypted. (Source: Google’s Transparency Report)
India shares the first place with the UK and Japan. The next group of countries, where 95% of all traffic to Google is encrypted,
consists of Indonesia, Mexico, and Brazil. They’re followed by France with 92%, and Russia and the US, where 91% of traffic is
encrypted.
90% of pages loaded in Chrome in the US were over HTTPS in May 2019. (Source: Google’s Transparency Report)
Page 4
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
THE BENEFITS OF HTTPS INTERCEPTION
From Marnix Dekker, IT Security Strategy and Policy, European Commission (March 8, 2017)
Detect exfiltration:
Attackers could use HTTPS connections to exfiltrate data. In principle HTTPS interception could be used to detect if corporate
documents or files are being uploaded, for example by looking for known patterns, markers or headers in documents.
Speed:
HTTPS interception can be implemented relatively quickly, especially if you already have a proxy in place for outgoing Internet
connections. Most products in fact offer it as a simple add-on. Of course the work of implementation does not end here (see
below) but making changes to endpoints, such as installing software or hardening, could take much longer and require a lot of
work.
Page 5
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
REASONS AGAINST HTTPS INTERCEPTION
Strict transport security
HTTP Strict Transport Security (HSTS) is an Internet standard allowing websites to tell the browser to never accept non-
HTTPS connections.
This is important when a user forgets to type the S in the URL and it prevents from stripping attacks.
A similar thing is done with cookies.
If the website sets the cookie with a secure flag, then the browser will not send it back without HTTPS.
Part of the deal with HTTPS interception is that connections are re-encrypted with a fake certificate, a wildcard certificate (*),
which is valid for all websites.
This is a kind of impersonation or spoofing, except that it is done with good intentions.
The wildcard certificates are in fact not sold by real CAs, but an enterprise could create one with a non-official internal CA.
This wildcard certificate then needs to be installed on all the PC’s in the enterprise.
Whitewashing
Re-encryption with wildcard certificates effectively makes the browser and the user blind.
The browser will no longer be able to warn the user about HTTPS connections and the end-user has no way to see if the
certificate is valid and if the connection can be trusted.
The original certificate is whitewashed.
This would not be a problem of course if the intercepting proxy is perfect and flawless, refusing all the bad connections,
accepting only the good ones.
Certificate transparency
It is not enough to re-encrypt connections with wildcard certificates.
Certificate transparency is an extra protection measure allowing browsers to check if a certificate is normally used by that
website.
A browser like Google Chrome, for instance, warns users when a Google page is shown with a different certificate, even if it is
formally valid.
It is a reaction to the continuous security problems and breaches at CAs.
It is an important feature and it helped to discover the large-scale MITM attack on Iranian Internet users, aka the Diginotar
breach.
So HTTPS interception requires you to tweak also the browser to accept the masquerading of the original certificate without
complaints.
Certificate transparency needs to be turned off.
At this point it should be clear that HTTPS interception involves not only a quick intervention at the network monitoring box,
but that it actually involves changing how endpoints, browsers, and ultimately the end-users, handle HTTPS connections.
Choosing HTTPS interception has wider implications for IT at the organization.
Page 6
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
Disrupts BYOD:
Employees are increasingly using their own personal computers in the office and for work. Sometimes devices are used side-
by-side with corporate devices.
To implement HTTPS interception personal BYOD devices will need to be tweaked and configured, to install and trust the
wildcard certificate, and to turn off browser warnings.
This not only leads to a lot of work by the IT department, which runs counter to the very idea of BYOD, but it is also likely to
raise some eyebrows with users. HTTPS interception does not play well with BYOD.
With HTTPS interception in the enterprise and no HTTPS interception at home, the employee is dealing with two worlds:
At work all HTTPS connections look strange, but they are to be trusted.
Limited benefits
The benefits of HTTPS interception are small and will diminish:
Hard-shell-soft-inside
HTTPS is an extension of network monitoring and detection.
Investing in network monitoring and detection now is like betting on the horse that is lagging behind and visibly tired.
Not only is it easy for attackers to evade detection, it is a continuation of the traditional approach based on securing the
corporate perimeter (hard-shell-soft-inside).
It is known that this approach is flawed and it also clashes with the increased mobility of staff and the uptake of cloud services.
Implementing HTTPS just goes further down the wrong path.
Unknown reasons
You did not need decrypting HTTPS for Web filtering.
You did not need decrypting HTTPs for defining WAF ACLs
Page 7
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
KNOWN BEHAVIOR WITHOUT HTTPS
INTERCEPTION WITH ARTICA
When you not perform HTTPs interception:
Files extensions
Smartphones
Browser
SSL SNI domains
Mime type (GET)
Mime type (reply)
Web server filename reply
URL expression
Regex matching on URL path
Referer URL expression
Page 8
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
DENY REQUESTS PROVIDE BROWSERS CONNECTION ERRORS
If you block a website, when users need to access to this Website, a connection error is displayed on the browser.
This because the proxy :
Sends an HTTP error as the browser ask SSL protocols ( Deny ACL ).
Redirects the connection by return a 302 location that cannot be understood before the exchange certificate (Web-
filtering ).
Page 9
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
ENABLE HTTPS INTERCEPTION
CREATE A SELF-SIGNED ROOT CA
Why not an official certificate ?
An official certificate is only valid for *.yourdomain.com domain.
It is indeed wildcard but the wildcard applies only to subdomains of yourdomain.com.
When HTTPS decryption is enabled the sites being decrypted and re-encrypted are completely different, for example
www.google.com.
Using an official certificate did not make sense and did not avoid the trust browser SSL issue.
Your certificate in on “Not generated” status, this is normal, only the “Certificate Request” is generated
Click again on the certificate link to open its properties.
Page 10
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
Click on the Generate New Certificate button
This will build a new Self-signed certificate based on your parameters.
Page 11
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
AFFECT THE CERTIFICATE TO A PROXY PORT.
On the left menu, choose “Your proxy” / “Listen ports”
Click on the port you want to enable the HTTPS Interception.
Page 12
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
USING TRANSPARENT – WCCP METHOD
The transparent method did not use the same method.
In connected mode, the listen port can act as HTTP and HTTPs interception mode.
In transparent method, you need to create separately an HTTP port and an HTTPs port
Our first port hook destination 80 port. We need to create a second port to hook the 443 port.
Page 13
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
SSL RULES
Even if you have enabled SSL interception in the proxy ports, websites are still not decrypted.
By default, the proxy check all certificates but did not decrypt the protocol.
If you want to decrypt all websites or some websites, use the SSL rules.
On the left menu, choose Your Proxy / SSL protocol and SSL Rules
1) Turn the default rule to decrypt all websites and create rules that deny decrypting websites
2) Keep the default rule to not decrypt websites and specify which websites you want to decrypt.
The standard behavior is the option 2, let test decrypting all websites.
We click on the default rule and enable the “Decrypt SSL” checkbox.
Then Click on “Apply rules” on the main table in order to put rules in production mode.
Page 14
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
Deny some websites to be decrypted.
Some Websites, banking websites, governments websites detects that browsers pass trough an SSL interception method and
refuse to generates web page.
In this case, you need to “whitelist” a set of websites.
Page 15
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
Search “SSL SNI” and choose SSL SNI Domains.
This object is able to check domains directly in certificates.
In this case, all Websites that handle the defined domain will be not decrypted.
Page 16
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
On the new object, click on the “add” button in the row.
Add main domains in the list.
Page 17
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
CERTIFICATE ON BROWSERS
If you have enable HTTPS on the proxy and set default rule to decrypt all websites, going to goole.com cause the certificate
claim about
NET::ERR_CERT_AUTHORITY_INVALID
This because the proxy have decrypted the google website and re-encrypt the protocol with a new certificate built with its
private key.
www.google.com website using a dedicated self-signed certificate and the browser did not trust the Authority used by the
proxy.
Page 18
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
MICROSOFT INTERNET EXPLORER, GOOGLE CHROME OR OPERA
Both Microsoft Internet Explorer, Google Chrome , Opera and any other Chromium derived browsers use the same system
storage for root certificates.
The following screenshots show steps required to install Root Certificate into system certificate store.
After you have downloaded the PFX right-click on it and choose “Install PFX”
Page 19
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
On the Certificate Store screen,
Set the password field empty and click on next
click on Browse button and select “Trusted Root Certification
Authorities” and click on next button
MOZILLA FIREFOX
The best way is to enforce Mozilla to trust Microsoft Windows Root store
Create a file named root-trust-microsoft.js in o Firefox's C:\Program Files (x86)\Mozilla Firefox\defaults\pref directory.
pref("security.enterprise_roots.enabled", true);
On the next start Firefox will trust your CA add in Internet Explorer.
Page 20
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
After importing the certificate, you will see that the new connection to google.com is secure.
If you see the certificate used for the website
Page 21
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
THE WEB FILTERING ERROR PAGE BEHAVIOR.
If you using the web filter engine, you have to define the redirect page.
On the left menu, select “Web-filtering” / “Error page” and click on the Wizards button
Define the hostname as the same name defined in the Common Name of your certificate.
Ensure this hostname point to the IP address of the proxy in order to display the web page.
Page 22
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
Using HTTPs interception, the proxy is able to send correctly the redirection page.
By default the proxy redirect blocked requests to the HTTP web page.
Page 23
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
PROXY ERRORS PAGES BEHAVIOR
If you deny SSL sites or if an SSL site cannot be fetched by the proxy, the proxy is unable to send error content in the SSL tunnel.
The browser will display it’s own error and just displaying a connection error.
If you enable HTTPs interception, the proxy error page is correctly displayed
Page 24
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com
SSL INTERCEPTION MONITOR
DISPLAY GENERATED CERTIFICATES
Under the SSL protocol, click on “Certificates”.
You will see all generated certificates by the proxy ( generated each 10 minutes ).
Take a look on the last column, you will see the issuer.
The issuer is important and must be the same of the certificate installed on your browsers.
If you change the proxy certificate you need to “Rebuild the SSL cache” by clicking on the “Rebuild SSL cache” button.
Page 25
Artica v4.x : http://articatech.net | contact: contact@articatech.com | support: http://bugs.articatech.com