[HTTPS-Everywhere] Intercepting proxy - Does SSL Observatory work?

Seth David Schoen schoen at eff.org
Tue May 23 09:59:10 PDT 2017 

Maciej Soltysiak via HTTPS-Everywhere writes:

> Hi,
> 
> My company is implementing blue coat intercepting proxy to scan for malware.
> The proxy intercepts TLS connections, on-the-fly generates a cert and does
> MITM.
> The clients are supposed to have certs installed to be fooled by the proxy.
> 
> Now, in Firefox, I installed the certs of the decryptor, installed HTTPS
> Everywhere, enabled SSL Observatory, asked it to check certs even if not on
> Tor and have:
> * Submit and check self-signed cerst
> * Submit and check certificates signed by non-standard root CAs.
> 
> I would've expected SSL Observatory to warn me that my connection is
> tampered with, yet it doesn't.
> 
> Any advice, please? Are the SSL Observatory checks using the firefox proxy
> settings?

Hi Maciej,

The SSL Observatory's warning feature, as far as I know, requires a manual
action by the HTTPS Everywhere developers, and has so far never been
activated.  That is, so far the functionality of the Observatory has been
limited to passively collecting data.

The Observatory does accept reports of certificates issued by
intercepting proxies and many such reports exist in the database.  This
might eventually contribute to some kinds of research about these proxies.

Warning people about corporate MITM proxies is a difficult problem which
has been debated extensively by browser developers.  The biggest part of
the problem is that the people deploying these proxies very commonly
control the endpoints, so if browsers or extensions warned people about
the MITM certificates in a way that the organizations disliked, they could
eventually disable the warnings or forbid use of that software.  (Of
course, the exact level of technical control that they exercise over
endpoints is different from organization to organization.)

If HTTPS Everywhere did try to warn about every apparently-misissued
certificate from a non-publicly-trusted root, it would have to warn about
_every_ certificate from such roots, which means every user whose browser
had added a root certificate would receive a warning about every site
(even internal organizational sites, where the certificates are not, in
fact, misissued or intended to facilitate interception).  I'm not sure
this feature would be very useful, but if you think that's what users may
expect, we could consider changing how the options are described within
the user interface.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the HTTPS-Everywhere mailing list