2

From reading lots and lots of web pages I've come to the conclusion that:

to filter adult content (not block it completely) from https sites like Twitter I would need to setup something like dansguardian/squid etc. on my Ubuntu proxy box to perform a Man In The Middle interception of SSL.

Does anybody know if it's possible to do something like the following on my Ubuntu proxy:

  1. use a language such as bash/php to grab the 'contents' of specific https sites like Twitter that the user has requested (i.e. not breaking SSL). This would be like pressing ctrl-a / ctl-c in a browser.

  2. write the contents to a file that is passed on to dansguardian.

  3. dansguardian then either allows or blocks the page depending upon its keyword filtering.

I'm already using OpenDNS / hosts file redirection which does a good job but not for sites like Twitter.

I've looked into technologies such as Untangle/K9 Web Protection but I am ideally searching for a free solution that can sit on a proxy. If I can leave SSL alone it seems like it would be easier/more secure/less support calls.

Thanks!

Steffen Ullrich
  • 1,616
  • 9
  • 14
bananaman
  • 23
  • 2

3 Answers3

1

It is possible to MITM without hacking/exploiting/breaking SSL (this is how Cloudflare works), the trick is to use 2 connections.

You host a web server (on your proxy box) that accepts all requests/connections (and therefore has access to unencrypted content from the user).

When a user who is using your proxy makes a request.
Your web server can accept the request and establish an SSL session with your user.
Within your code (eg PHP) you create a client instance that creates a second SSL connection to the requested server.
Your client instances gets the response on this second connection.
Your webserver then resend that response (recieved by the client instance) back to the user on the first SSL connection.

If you requiring code examples of how to do this, I suspect this would lead the question to being too-broad (too many, long/good answers possible).

NGRhodes
  • 9,380
  • 47
  • 56
0

use a language such as bash/php to grab the 'contents' of specific https sites like Twitter that the user has requested (i.e. not breaking SSL)

With HTTPS the full URL is encrypted and only the hostname is sent in clear inside the TLS handshake. This means to even get the URL first and thus to know what the user has requested you have to be a man in the middle for SSL.

Steffen Ullrich
  • 1,616
  • 9
  • 14
  • 1
    Stephan, note @bananaman comment to his question saying he would be performing an MITM. – NGRhodes Sep 14 '16 at 18:04
  • @NGRhodes: the question clearly says "not breaking SSL" and it said it even more clearly before you've edited the title (after I answered the question). If this is not what the OP intended then the OP should have asked a different question instead of changing the meaning with a comment or let somebody else change the meaning by editing the question after it was answered. – Steffen Ullrich Sep 14 '16 at 18:08
  • Steffan, I think you misunderstood my point, "not breaking SSL" is possible with MITM, but to do so you must (as your answer states) decrypt ssl, which is the part of the title I changed. – NGRhodes Sep 14 '16 at 19:00
  • 1
    @NGRhodes: the question additionally states: "..If I can leave SSL alone". Thus the original intention was in my opinion that no SSL man in the middle should be done which was also reflected in the title. I think the question is kind of confusing because on the hand it talks about SSL interception and on the other that it does want to leave SSL alone and not decrypt it. I'm not sure if the OP was aware what SSL interception is. – Steffen Ullrich Sep 14 '16 at 19:45
0

Thanks all for your responses. I am an novice regarding filtering https and probably asked a confusing question. It's a pity that sites like Twitter don't offer safe url versions of their content like google safe search. SSL seems great except when you're trying to filter dodgy content :)

bananaman
  • 23
  • 2