Decryption of HTTPS Traffic
Web Filtering Proxy is capable of decrypting and inspecting of HTTPS connections (assuming browsers are trusting the proxy of course).
The following describes what happens when a user needs to navigate to a web page that is to be HTTPS decrypted and inspected.
- User types a domain name in the browser address bar.
- Browser sends the request to proxy server, asking it to establish a secure CONNECT tunnel to remote origin server.
- Proxy establishes a secure HTTPS connection to the remote server and retrieves the server certificate.
- Proxy generates a new certificate the remote server, imitating all properties of the original certificate and signs this imitated certificate using its own Root CA certificate.
- Proxy sends that imitated certificate to the browser along with the message that the connection is successfully established.
- Browser accepts the imitated certificate, validates it and (because browser trusts the proxy) sends the request through the connection to the proxy.
- Proxy receives the request, filters it and passes it to origin server.
- When origin server replies with response, proxy filters that response and forwards it to the browser.
Taking a look at this flow of events we understand that we need at least two things to configure for the successful HTTPS inspection.
- Proxy needs to be configured with a certificate that can act as trusted Root CA.
- Browser needs to be set to trust that Root CA
The following pages will go into more details on these two subjects.