+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, https anonymous proxies in Technical; Anyone know a way to successfully kill https proxy sites with isa 2006, I can put them in the deny ...
  1. #1

    Join Date
    Jan 2006
    Location
    Liverpool
    Posts
    84
    Thank Post
    30
    Thanked 13 Times in 12 Posts
    Rep Power
    20

    https anonymous proxies

    Anyone know a way to successfully kill https proxy sites with isa 2006, I can put them in the deny domains, I put every variation I can think of in the deny urls and they go away. They then start working again a couple of days later At least the https addresses will, it's bugging the hell out of me. any help graciously accepted I've even put the domain into our sonicwall box content filter but the https addresses bypass that aswell

  2. #2

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,739
    Thank Post
    911
    Thanked 1,331 Times in 811 Posts
    Blog Entries
    1
    Rep Power
    447
    tbh the only real fix I can think of is to use a whitelist of allowed https sites and block the rest. Thats how we cured it here and even then we have a separate list of url's for staff and pupils in ISA. Smoothwall has some https scanning stuff but since we dont allow it here anyway I have not looked into it. No doubt Tom/others will elaborate.

  3. Thanks to ZeroHour from:

    DaveJ2717uk (11th May 2009)

  4. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Ooh, elaboration time... what fun

    HTTPS traffic is end-to-end encrypted. When any eavesdropper (ISA included) sees it, it is nothing but "garbage". Generally we can recognise it by the port it lives on (443).

    If we are doing transparent filtering there's not a lot you can do about this (though we are working on some hacks here at SmoothWall to try and improve that situation).

    If you are doing non-transparent, then when the browser wants to make its end-to-end encrypted tunnel, it has to ask the proxy for permission. This comes in the form of a connect request. This allows us to see the domain only. We can easily block and allow these requests. SmoothWall has been doing this for ages, and ISA must be able to too?!
    The thing to remember is *domain* only - no URL (so nothing after the /).
    With this method you will find yourself doing the "proxy chase" - forever reactively blocking new domains, same as non-https. This applies if you are a single admin, or if you are a top-5 web filter company (you guys know who you are). You can, of course, go for the "whitelist only HTTPS" solution - my friend Stewart at Malvern college (who i believe still only lurks here... ) has been doing this for (literally) many years, before a lot of people had even heard of HTTPS proxies. If you don't mind generating parts of the whitelist yourself, and your solution supports it, this is not a bad method.

    The second stage in proxy finding is to do a cert check. Most proxy operators have invalid or self-signed SSL certificates, because valid ones cost money. 90% of proxies are a money making venture, and CA fees would hit the bottom line. For this reason, a cert check will give good effectiveness against a range of proxies. This does overblock when the odd bank or govt. department can't get their act together (you lads know who you are as well HSBC forgets to renew its digital certificate ? The Register) but generally, pretty benign. SmoothWall have been doing this for a while. We enjoy it.

    Finally... there's the full gun - Man In The Middle interception. This uses your proxy to turn 1 SSL session into 2 - with a small gap in between so you can examine the URL and page content. This is VERY powerful. Scary in places. A number of vendors do this - but look for ones who don't store the data, who warn users, and who allow exception sites. This technique basically drops the HTTPS proxy down to being about as well hidden as a normal HTTP one. Even better, our pals the proxy authors aren't really expecting us to be this sophisticated, so they actually obfuscate their intentions even less - making these arguably easier to block. We SmoothWall folk have been doing this only a month - relatively little feedback as yet but seems like fun.

    Hope that helps, if anyone would like more info, I am usually available by phone/email/edugeek

    Tom

  5. 4 Thanks to tom_newton:

    DaveJ2717uk (11th May 2009), john (11th May 2009), User3204 (11th May 2009), ZeroHour (11th May 2009)

  6. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Finally... there's the full gun - Man In The Middle interception. This uses your proxy to turn 1 SSL session into 2 - with a small gap in between so you can examine the URL and page content. This is VERY powerful. Scary in places. A number of vendors do this - but look for ones who don't store the data, who warn users, and who allow exception sites. This technique basically drops the HTTPS proxy down to being about as well hidden as a normal HTTP one. Even better, our pals the proxy authors aren't really expecting us to be this sophisticated, so they actually obfuscate their intentions even less - making these arguably easier to block. We SmoothWall folk have been doing this only a month - relatively little feedback as yet but seems like fun.
    This 'feature' is available to anyone running Squid 3.1 or later via the SSLBump configuration directive. Some client side configuration is required if you wish it to be total 'quiet' (You must push out your server certificates to clients so the browsers trust you). You may intercept, alter and adapt the HTTP session, once it's been decrypted by Squid/SSLBump, via ICAP.
    Last edited by Geoff; 11th May 2009 at 04:11 PM.

  7. #5


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Geoff - indeed it is. We will (probably) drop our implementation and use squids in the 2010 branch of SmoothWall, but with it still being in beta (alpha when the SSL MITM project was spec'd) we did it ourselves. We also use our custom SSL stuff for MITM inspecting jabber (googletalk) IM.

  8. #6
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    21

    Smile

    What we have done for students at least - is to totally block any HTTPS traffic using ISA 2006's protocol/port blocking rules.

    The only time they need it is for the VLE and that doesn't go through our proxies on-site as that goes straight to the county equipment.

    It works for us - staff however, have HTTPS available to them.

    Az

  9. Thanks to azrael78 from:

    DaveJ2717uk (12th May 2009)

  10. #7

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,619
    Thank Post
    1,499
    Thanked 1,053 Times in 922 Posts
    Rep Power
    304
    Must admit I've still to read that section of the manual for that new feature in my Smoothwall Just playing with getting the VPN setup and publishing sites through it, well the sites are done its just VPN to go now Nearly there on that score, then its back to looking at the SSL But its a good thing to have

  11. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Quote Originally Posted by tom_newton View Post
    Geoff - indeed it is. We will (probably) drop our implementation and use squids in the 2010 branch of SmoothWall, but with it still being in beta (alpha when the SSL MITM project was spec'd) we did it ourselves. We also use our custom SSL stuff for MITM inspecting jabber (googletalk) IM.

    Does this mean you'l be reimplmenting some/all of dansguardian as an ICAP plugin?

  12. #9


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,475
    Thank Post
    866
    Thanked 850 Times in 672 Posts
    Rep Power
    196
    Geoff, unfortunately, no. We've looked at both ecap and icap and we couldn't get either to do what we wanted; icap is too limited, ecap is so tightly bound to squid, you end up sharing squid's process model which is OK for a proxy but crap for a filter.

  13. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    That's a shame.

SHARE:
+ Post New Thread

Similar Threads

  1. Anonymous Email
    By Nick_Parker in forum How do you do....it?
    Replies: 6
    Last Post: 25th February 2009, 01:01 PM
  2. anonymous share mode
    By ZeroHour in forum Windows
    Replies: 6
    Last Post: 10th September 2008, 04:14 PM
  3. Anonymous Proxy question
    By tech_guy in forum General Chat
    Replies: 7
    Last Post: 9th October 2007, 08:28 AM
  4. Sharepoint Anonymous Access?
    By jrubinstein in forum Virtual Learning Platforms
    Replies: 5
    Last Post: 26th March 2007, 03:44 PM
  5. Too many proxies
    By Ric_ in forum Wireless Networks
    Replies: 17
    Last Post: 12th December 2006, 09:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •