hi, I need to implement a url filtering in a network system of one of our customers. As is known, by now the majority of websites belonging to the blocked categories travel in https.
In these cases, a proxy is used that decrypts the SSL traffic and then analyzes it with the url filtering rules set.
Does the Mikrotik Web Proxy configuration do just that? If so, does it work well? Thanks
Where you have read this idiocy?
The only way to decrypt “ssl” is to “hack” the web browser and/or the OS…
For example, simply add a “proxy” to open https://google.com cause an error on the browser because www.google.com is “pinned” to specific IPs / Certificate ID…
Is more complex on details, but this is sufficent as example.
well, let’s put it differently: how does Mikrotik implement url filtering on ssl traffic?
There is no way, and the vendor do not have any importance.
You must hack the devices to see inside https url requests.
This is not absolutely correct.
There are proxies, which intercept HTTPS-traffic, de-/recipher the request, and allow URL-filtering.
However, this needs installation of certs on the client devices, which is possible only on local nets.
Does not work for certain sites, using pinned certs, though.
All this is not trivial, and by far exceeds the limits of MTs proxy. Needs powerful openwrt device, at least.
Good evening,
In fact that was exactly what I meant, but I probably expressed myself badly. I have been working for many years with a firewall whose brand I don’t want to specify, with which I implement url filtering exactly this way.
In practice, the SSL proxy of this firewall intercepts connections from the client over TCP port 443 and carries out SSL negotiations with the web server on behalf of the client.
Then it analyzes the certificate sent by the server.
If the certificate is compliant, the SSL proxy decrypts traffic, which will then be evaluated by the filter rules that follow.
It also generates a fake certificate and present it to the client, which will verify the certificate.
If the certificate is present (this is the reason why the certificate generated by the firewall is required to be installed in the browser), traffic will be secured. Application protections will then be applied.
My need was due to the fact that the firewall with which I work has quite high costs, so if the customer has detached offices, I had thought of Mikrotik Routerboards to do this.
It seems to me that this is not possible natively.
MikroTik routers cannot do this. And it will become impossible in other devices as well because more and more protective measures are being rolled out to prevent this man-in-the-middle attack even when the user agrees to it (because users often do not know what they are agreeing to).
“traffic will be secured” is not true! The traffic is available for tapping in the proxy. That is why it is able to filter the URL and the content.
I do not fully agree with what you are writing, in any case thanks for the reply.
In case, you did it already using squid, then you can do it on openwrt-device the same way. And use the box as a router, too, of course.
For such “tricks”, MT is not the best choice. Because closed, unfortunately.
Ah, no?
[....]
However, this needs installation of certs on the client devices, which is possible only on local nets.
[....]
Oh .. you have to hack (modify, do something, call it whatever you like) something???
Dear big abslolute expert, where is the right way without touch the client device?
Your reply is absolutely useless.
It is (for now) possible to filter based on the “outer” domain name as transmitted in the TLS negotiation. In order to indicate to the server which certificate to use, the clients send the domain name as “server name indication” (SNI). This happens before the certificate is presented, so this information is in the clear. You can use Mikrotik RouterOS devices to filter based on the SNI domain name. See the firewall documentation under “tls-host”.
There are several caveats:
If the packet with the SNI is fragmented, the firewall rule is not triggered. Depending on your firewall style (default deny or default allow), this means some connections get through that shouldn’t or some connections get blocked that should be allowed.
The SNI domain name isn’t necessarily the same as the host which is requested by the host header inside the encrypted connection. This technique is called domain fronting and can be used to evade SNI based filtering.
An improvement on SNI, called ESNI, has been developed which also encrypts the SNI, rendering any attempt to passively learn the domain name moot.
If you configure client’s browsers to explicitly use proxy servers (such as squid), then browser explicitly contacts proxy and fully expects proxy to handle connections towards content servers.
So in this case browsers don’t expect to handshake with e.g. www.__google.com, they expect to handshake with proxy.corporation.com and none of certificate monkeying is necessary. Often (if not always) connections between client browser and proxy are done unencrypted anyway.
But making clients to use proxy servers means forcing some configuration on clients. Which can be done on devices fully controlled by corporate IT staff but not on random devices brought in to network (or in caffé wireless or anywhere else). Which makes use of proxies to do content filtering very awkward and inefficient these days.
@rextended
There is no way, and the vendor do not have any importance.
This is definitely not correct. Or, in your words, “idiotic”.
A MT-device actually does not run something like squid as intercept/explicit proxy. Which is the “kernel”, required for https-url-filtering.
But lot of openwrt-devices, having moderate resources, they can do this. Because open architecture, opposed to MT.
And squid can, and does, filter https-urls (with some exceptions, as stated).
The installation of a certificate on a users device to call “hacking” is a bit far fetched.
It is not so uncommon to install a special cert on a PC. Or a linux box. Nobody, besides the Guru of the Gurus, would call this “hacking”.
In few words: MT can not do, what the opener of the thread was asking for.
This is also a limitation of MT. Because an openwrt-device, for example, can run squid, which is able to “examine” the complete SNI, and filter it, on higher level.
Which means, this limitation does not exist then.
You look like an "idiotic" to me.
Next time, quote only a word instead of the full post.
So maybe you will be right for sure.
Full original quote:
And about SNI: OP ask about "URL", not only domain name.
But may this have been misspelled and simply means "domain filter"?
That does not mean it is a wise or desirable thing to do! It essentially breaks the entire system of trust between the PC and the website.
It tells the PC “you should trust our company, not the guys that made the website”.
That may be “ok” in some special cases (e.g. PC’s belonging to some company and used by employees at the premises), even there it can infringe rights (depending on the country).
In the more general case it is just not good, and certainly something that should be avoided when possible.