[Privoxy-devel] https-inspection challenges

Fabian Keil fk at fabiankeil.de
Fri Jun 5 14:36:30 UTC 2020 

Roland Rosenfeld <roland at spinnaker.de> wrote:

> I did my first steps on https-inspection of privoxy 2.0.29 (git
> 8097d5c7) today, to find out whether it's useful and how it handles
> bad certificates etc.

Great.
 
> First minor issue I tripped on, is that the user.action still uses the
> old label:
>  {+enable-https-filtering}
> which should be
>  {+https-inspection}

Fixed in git, thanks.
 
> Second I noted, that the cgi editor (eafu) currently does not support
> https-inspection (is this intended or a bug?).

D'oh. This bug was a result of a typo. Fixed in git as well.

> Next problem was, that I have a default upstream proxy defined.  This
> resulted in an timeout of the client
>  env HTTPS_PROXY=localhost:8118 curl --connect-timeout 10 https://badssl.com
> and the following privoxy debug log:

Good timing. I was actually working on the https-inspection+http-forwarding
code this forenoon and ran into the same issue.

> After defining an exception of the upstream proxy
>  forward .badssl.com .
> it worked as expected.
> (This works as a workaround, but I fear, that this is a bug in the new
> https-inspection code, it should be possible to combine forwarding and
> https-inspection, shouldn't it?)

Yes. I just pushed the fix for this to git.

> After this I was able to reach the website and now I got the expected
> cert error.  I uploaded the generated root cert as Authority to my
> browser but now https-inspections seems to work for me.

Great.

> I tried several broken certificates from https://badssl.com, most of
> them are correctly detected, I'm only a little irritated about the
> feedback the user gets, for example on https://expired.badssl.com/ I
> see a valid SSL cert in the browser (generated by privoxy via my fake
> CA) and some output that the certificate has expired with some info
> about the cert.  That's okay, but I'd expect some hint on the output
> page, that this page is generated by privoxy (maybe with a link to a
> FAQ about https-inspection).

I agree that the page could be improved.

> While most broken SSL sites were correctly detected, on
> https://revoked.badssl.com/ privoxy doesn't notice that the
> certificate has been revoked.

That's the currently expected behaviour. Privoxy
currently does not check for revoked certificates.

I don't know how much work implementing this would be.

I can also access the page just fine without Privoxy using
Firefox and curl so I guess Privoxy is not alone here.

>                               Also https://pinning-test.badssl.com/ is
> accepted, with bad HPKP.

Also expected, HPKP is not (yet?) implemented.

> Maybe you may want play more with badssl.com, which looks quite useful
> for testing the https-inspection feature.

Indeed.

> I think that I will build the next Debian package with mbedtls enabled
> and maybe with ca and certs directories preinstalled with correct
> permissions and maybe a little README, that explains onboarding (what
> directories have to exist with what permissions and how to create a CA
> key/cert pair on Debian and where you will find a trusted-cas-file on
> Debian etc.).

Great. I hope that most packagers enable FEATURE_HTTPS_INSPECTION.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20200605/1add4984/attachment.bin>

More information about the Privoxy-devel mailing list