I've compiled latest openwrt snapshot with squid ssl
I'm running x86 (64bit)
I have a letsencrypt ssl certificate
/usr/lib/squid/ssl_crtd doesn't exist
All is working fine as far as I can tell, however I can't setup squid as a transparent https proxy.
I wanna use squid as a https adblocker, therorically since I have a valid certificate that should work right ?
an https adblocker need to be have their own CA, as it's MITM proxy need valid cert for every HTTPS domain it process. for example, if you intercept and remove ad from https://youtube.com - you need valid cert for that domain. but obviously no public CA will give you such cert.
A -> B -> C
If B makes a request to C on behalf of A, by asserting itself as a HTTPS DNS resolver it should be able to manipulate these requests accordingly no ? Since B is authorised by a CA.
I mean this is already done by local adblockers like browser extensions no ?
If we know what want and what we don't want be can adjust our request accordingly ...
entire purpose of HTTPS is to stop B from eavesdropping or manipulation traffic, so it need to be signed cert that valid for domain C.
local adblocker edit page after browser downloaded the page. network security doesn't apply there.
You described one scenario. However, transparent https intercept using squid _is_possible. But this will need install of squids special cert on all clients. Not often possible. And even this is not 100%, because of HSTS, pinned certs etc.
https intercept is aiming at a moving target.
Traffic that is between my computer and X's computer is mine or atleast I really do hope so, cause otherwise I dunno who's doing what ay ...
Your point is valid but that's just 1 thing, “He who sacrifices freedom for security deserves neither.”
The traffic is goggles. As they pushed a lot for https. To make it much more difficult to get rid of their trackers, ads etc. But still to let "authorized institutions" check the traffic, using root certs. Secure banking transactions could be done using other methods.
So I have strongly to agree to your scepticism.
Create a splice list for ethical concerns and or “pinned” certificated sites. Many major vendors of firewalls use https intercepted traffic it’s nothing new. It’s not easy to configure and it is illegal on some countries to do.. if you own the devices and users know it’s decrypted you might as well enable clamAV with it too.
Create a splice file and splice list for devices and use your bump list for secure systems you are working on. Enable transparent and ssl intercept mode use a bypass transparent list for devices that are set to use the proxy, bingo you got both working transparent and ssl intercept mode. It’s not easy you got to be a level 10000 wizard to make it work.
Today you got Kali and other proxy software that is running inside docker containers in this day and age data marshaling network cards from inside host PC and smart phones.. yes proxy technology is relevant today it helps mitigate abuses. Invasive containers are hard to spot but with the right tools you can spot them. Squid is a great tool for that. It’s like a spot light on the bad guys and they’ll run from technology like this when it’s configured correctly. Set it up so it doesn’t cache huge objects also because you do not want a container installing inside your cache, some users set max object size way to big. You got to configure it correctly. Again I still recommend using transparent and splicing everything so you only see get requests that’s all you really need forget the rest of it, look at the requests anyone out of order is what you want to investigate.