0

I would like to set up a transparent SSL corporate proxy with either privoxy or squid.

One of the snags in my plan is understanding what kind of SSL certificate is required. I know I can get a multi-domain / wildcard SSL certificate; however, that is only intended to cover sub-domains for a single organization. It would seem that I need a wildcard cert for every TLD now and future on the planet.

I do not want security warnings popping up when users go through the proxy due to security-checks failing; I would also like to avoid installing a manual CA trust in browsers if possible. However, if commercial solutions are not feasible, what solutions are available for a self-signed cert?

Questions:

  1. Is this possible?
  2. If all constraints cannot be met, what is the best I can do?
  3. What is the least-cost path to success in a mixed windows / linux environment with the following browsers supported: IE, Firefox, Chrome?
Mike Pennington
  • 8,305
  • 9
  • 44
  • 87

1 Answers1

4

There are two approaches to MITMing SSL traffic:

  • You get a single trusted SSL certificate that wildcards everything (subjectAltName:*, subjectAltName:*.*, and so on); or
  • You get a trusted CA or intermediate certificate and create trusted certificates "on the fly" to present to clients.

The former is easier to do, but the latter is better if you don't want it to be obvious of what you're doing, because the certificate will look more "legitimate" to the casual observer.

The real trick is getting one of these super-special certificates. The easier way for a legitimate organisational proxy is to generate your own certificate signed with your own CA, and distribute that CA certificate to every device within your organisational control. The challenges and limitations of this approach should be fairly obvious.

A dodgier way of doing things is only typically open to governments and organisations big enough to subvert a CA (one way or another...) -- in this case, you get an existing legitimate CA, whose CA certificate is already near-universally trusted, to give you one of the above dodgy certs, and you go on your merry way.

This latter method isn't theory -- there are numerous cases of governments of oppressive regimes getting hold of these sorts of certificate to subvert SSL connections within their borders and spy on traffic passing through their chokepoints. If this makes it sound like the SSL security model is completely broken and flawed, then you've got the right idea.

womble
  • 96,255
  • 29
  • 175
  • 230
  • It appears that neither Firefox nor Chrome support "\*" or "\*.\*" wildcards (anymore, but apparently they did at some point). – Gima Mar 09 '15 at 09:45
  • Yeah, things have tightened up quite a bit in the last few years. Can't *imagine* why... – womble Mar 10 '15 at 04:51