SSL decryption blocks all YouTube access (and other sites) due to HSTS errors

[Rodney Baker]

When enabling SSL decryption for sites such as YouTube, Facebook, Quora (and many others), both Firefox and Chrome refuse to load the sites due to HSTS being enabled on those sites (the proxy server is correctly detected as a MITM attack, but this is on a home network with kids accessing so I want to be able to content-filter https traffic).

I've added the proxy cert to the browser but this does not fix the issue. Running explicit proxy mode with version 8.1 (trial license until I can get this fixed).

Any suggestions?

Thanks in anticipation,

Rodney.

[Rafael Akchurin]

Hello Rodney,

This usually happens when you have installed the proxy decryption cert incorrectly or not fully. Are you able to see the cert in the Trusted Root Certificate storage on Windows (assuming you use windows of course)?

Are you sure you installed the same cert as proxy uses for decryption? This sometimes happens when people generate multiple certs when experimenting. 

Best regards,

Rafael Akchurin

On 13 Jun 2022, at 10:12, Rodney Baker <rodne...@gmail.com> wrote:



--
You received this message because you are subscribed to the Google Groups "Diladele Web Safety" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web-safety+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web-safety/90ef7f19-7bd4-4bb7-98dc-dad23f0ebbccn%40googlegroups.com.

[Rodney Baker]

I found the problem - Firefox 101 (in fact any version since 65) requires security.enterprise_roots.enabled for local CA certs to be trusted. Once I set this to "TRUE" (has to be done via about:config) it started working as expected. I just have to fine-tune the filter settings now. :)

It also works with Chrome on Linux (once the cert was successfully imported).

Thanks for your help.

Regards,

Rodney.

[Techie Xplorer]

Hi Rodney/Dev Team,

We are getting the same issue with Edge and Chrome Browsers where some sites work perfectly fine whereas some genarate HSTS failure message on the same machine with same proxy and decryption certificate.

We have deployed the certificate used in decryption using GPO and it is working for most of the sites.

Since you confirmed that the issue stands resolved after "once the cert was successfully imported", can you please confirm the location of the certificate being imported, as within browser settings or Certificates MMC or someplace else.

This issue is currently persistent with specific sites such as bing.com, custom sites hosted in our infra and accounts.google.com. Apart from these domain specifically the proxy is working fine for most of the other sites being accessed.

Regards

Techie.



[rafael....@diladele.com]

We have no issues with HTTPS decryption at all after installing it like in https://webproxy.diladele.com/docs/https_decryption/install_root_ca_into_browsers/#automatic-installation-using-group-policy

raf