Chrome 58+, ERR_CERT_COMMON_NAME_INVALID and missing_subjAltName

After Chrome 58+ started to check for presence of subjAltName extension in SSL certificates presented by the remote sites, it turned out that the order of sslbump directives that Admin UI generates is not completely incorrect. If you have blocked http://www.youtube.com in Web Safety, then accessing https://www.youtube.com in Chrome 58+ results into ERR_CERT_COMMON_NAME_INVALID error message instead of the expected access forbidden page.

Consider the following.

* We have blocked access to .youtube.com in Default Policy / Block by Domain.
* User types https://www.youtube.com into address bar of the browser. Note the httpS:// schema!
* Browser tries to establish CONNECT tunnel to http://www.youtube.com through Squid proxy.
* Squid forwards this request to ICAP web filter.
* Web Safety instructs Squid to decrypt the HTTPS connection (to be able to show the blocked page later).
* Squid mimicks the SSL certificate of http://www.youtube.com without contacting the actual YouTube. Thus mimicked certificate does not have subjAltName extension included.
* Chrome 58+ shows “Your connection is not private” message.

This happens because by default Squid does not include subjAltName extension into SSL certificates generated without contacting origin servers. See bug http://bugs.squid-cache.org/show_bug.cgi?id=4711 (will be fixed in Squid version 3.5.25+).

To fix this issue we need to reorder the SSL bump directives that Web Safety generates. Continue reading at https://docs.diladele.com/faq/squid/chrome_ssl_filter/wrong_order_of_peek_and_splice.html

Posted in Linux | Leave a comment

Blocking access to UNICODE domain name fishing sites

According to Hacker news story at http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html a lot of browsers are vulnerable to the fishing attack in Unicode domain names.

As Squid mimics the subject name and alternative names of certificates when HTTPS filtering is enabled the Unicode domain name of a fishing site is mimicked too. To block access to such sites it is recommended to add the following URL regex blocking to Admin UI / Web Safety / Filtering Rules / Block by UR.

https?:\/\/.*\.xn--.*

This is a temporary measure until browsers are fixed. It may result into over blocking especially in countries that use the Unicode encoded domain names (China?)

Posted in Linux | Leave a comment

ubuntu.diladele.com is to be taken down in 30 days

The ubuntu.diladele.com used as repository for Squid custom build with HTTPS filtering support will be taken down in 30 days. This repo is based on (obsolete) tutorial for Ubuntu 14 LTS – https://docs.diladele.com/howtos/build_squid_ubuntu14/index.html

It is not used in any of the supported versions of Web Safety as we now use Ubuntu 16 LTS in our virtual appliance, based on build tutorial https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html and online repository ubuntu16.diladele.com

Everyone is encouraged to move to the current stable version of Web Safety 4.9. See https://www.diladele.com/virtual_appliance.html

Posted in Linux | Leave a comment