Skip to content

Decryption of HTTPS Traffic

Web Safety is capable of decrypting and inspecting of HTTPS connections (assuming browsers are trusting the proxy of course).

Decrypting Flow

The following describes what happens when a user needs to navigate to a web site that is to be HTTPS decrypted and inspected.

The involved parties here are user sitting at the computer, browser which he uses to navigate to a web site, Web Safety appliance consisting of Squid proxy and Web Filtering ICAP server and origin domain.

  • User types a domain name in the browser address bar, for example https://www.example.com.
  • Browser sends the request to proxy server, asking it to establish a secure CONNECT tunnel to remote origin server at www.example.com port 443.
  • Squid proxy as part of Web Safety appliance establishes a secure HTTPS connection to the remote server and retrieves the server certificate and contents of the site index page.
  • Squid proxy sends the contents of the site to Web Filtering ICAP server which is also part of the Web Safety appliance.
  • Web Filtering ICAP server inspects the contents of the page and allows or blocks it.
  • Proxy generates a new certificate the remote server, imitating all properties of the original certificate and signs this imitated certificate using its own Root Decryption Certificate.
  • Proxy sends that imitated certificate to the browser along with the contents of the site.
  • Browser accepts the imitated certificate, validates it and (because browser trusts the proxy) renders the site contents on the screen.
  • User reads the site he wished to access successfully.

Taking a look at this flow of events we understand that we need at least two things to configure for the successful HTTPS inspection.

  1. Proxy needs to be configured with a certificate that can act as trusted Root Decryption Certificate.
  2. Browser needs to be set to trust that Root Decryption Certificate.

The following pages will go into more details on these two subjects.

Decryption Modes

Web Safety can function in three distinct modes regarding HTTPS decryption. These are described in the following table.

Mode Description
Disabled Default mode. No HTTPS decryption and deep content filtering is performed. Web filtering may not be very effective because proxy does not have access to actual textual contents of HTML pages being transferred. Only web filtering by domain names being connected to is active.
Targeted Decryption In this mode only sites specified by the administrator are decrypted and filtered. All other sites remain intact. Web filtering by domain names being connected to is also active.
Complete Decryption All HTTPS connections are decrypted and filtered. The administrator may indicate some categories of the domains that are excluded from decryption automatically. For example, connections to financial and government institutions, medicine and health organizations, etc.

To select the active mode, navigate to Admin UI / Squid Proxy / HTTPS /Decryption Mode and choose the desired mode as shown on the following screenshot.

Proxy Settings