Cannot Connect to a Blocked Site in HTTPS
Question: Why we see "Cannot connect to site using HTTPS" browser message instead of usual blue Site is blocked page?
Answer: If you are not using HTTPS decryption and user goes to a blocked site, for example https://facebook.com, the following sequence of events will occur.
- Browser establishes regular HTTP connection to the proxy server and sends the
CONNECT facebook.com:443request to setup the secure tunnel to Facebook. - Squid intercepts this request and redirects it to Web Safety ICAP server.
- ICAP server sees the Facebook domain is blocked and returns
403 BlockedHTTPS message to Squid. - Squid forwards this
403 Blockedmessage back to the browser. - Browser expects to get the SSL handshake from Facebook back and instead sees some flow of unexpected bytes (the
403 Blockedresponse) and displays a standardCannot connect to site using HTTPSmessage to the user.
This is a known design limitation of all browsers. For more information see the following issue in Mozilla bug tracker and this article in the Squid documentation.
But if you are using HTTPS decryption the sequence of events is different.
- Browser establishes regular HTTP connection to the proxy server and sends the
CONNECT facebook.com:443request to setup the secure tunnel to Facebook. - Squid intercepts this request and redirects it to Web Safety ICAP server.
- ICAP server sees the Facebook domain is blocked, but knowing that all HTTPS connections will be decrypted, returns
200 Connect Establishedmessage to Squid. - Squid forwards this
200 Connect Establishedmessage back to the browser and starts HTTPS decryption, imitating the Facebook certificate. - Browser starts TLS handshake over the established connection and as it trusts the proxy continues sending normal HTTPS requests to Facebook's initial page.
- Squid sends that request to the ICAP server which blocks it (as all requests to Facebook are blocked), sending the
403 Blockedpage back to the browser. - Browser successfully renders that blocked page to the user.