Dear Volker and others, If I just inspect on host name only, do I have to create a CA and Certificate to install in the proxy server of pfSense anyway ???
Thnks a lot, ADAM 2017-10-12 17:24 GMT-03:00 Volker Kuhlmann <[email protected]>: > On Fri 13 Oct 2017 08:15:20 NZDT +1300, Adam Cage wrote: > > > This is useful to filter facebook, twitter, gmail and other HTTPS sites, > > just taking into account the URL ??? What can't I block for example ??? > > Look at squidguard rules - they're in 3 sections: hosts only, URLs, and > general regexp. With http all 3 of them work (within the bugginess of > squidguard and pfsense anyway). > > With https the URL is encrypted, except for the host name part. I.e. the > SSL connection to the server is established on the host part only, and > the client sends the full URL only over the SSL connection once > established. > > So you have 2 options for https: > > 1) Full MITM attack, requiring client cert installs on all clients so > that the clients establish encrypted connections with the key of your > attack server (aka firewall) instead, and you have a chance of > inspecting the content. > > 2) Inspect on host name only, that part is not encrypted. > > As everything is moving to http it's becoming seriously difficult to use > squidguard as outgoing filter to get rid of all the shitvertising and > privacy invading user tracking rubbish (which wastes my time, bandwidth > and money for absolutly zero gain to me). > > Volker > > -- > Volker Kuhlmann is list0570 with the domain in header. > http://volker.top.geek.nz/ Please do not CC list postings to me. > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
