Hello, it would be possible to implement letsencrypt for https_Traffic. Then you don't have to export the certificate in order to inform each client of this again? All clients would then be protected via https
@foresthus Thanks for your thought.
Actually we are using SSL-bumping with squid (s. https://wiki.squid-cache.org/Features/SslPeekAndSplice ). To do so each eBlocker generates a unique CA root certificate for signing website certificates on the fly.
Unfortunately I don‘t understand how some CA (like letsencrypt) could help here. To my knowledge none of the browser installed root CAs is signing sub-CA signing certificates for private companies.🤔
I‘m eager to learn about your approach. Could you please go more into detail so we are all on the same page.
THX a lot!
@foresthus Maybe there is some confusion about x509 certificates, I‘m happy to clear up:
Even the technical format is (almost) identical for the certificates, there are big differences:
- There are certificates issued for (web) servers so they can identify themself to a client for establishing an SSL-connection. Thats what letsencrypt and other certification authorities (CAs) issue.
- There are CA root certificates used for signing other certificates.
The latter is needed for SSL bumping (ie. for eBlocker https). Please see here for understanding the details: https://www.thesslstore.com/blog/root-certificates-intermediate/
Nevertheless, as I discussed in my previous post: letsencrypt (as much as any other official CA) is not issuing intermediate/sub-CA signing certificates. In other words: the certificates from letsencrypt can not be used.
If you have other infos, it would be great if you could share the link.
THX!
- Which antivirus suites are supported by eBlocker without having to deactivate the https stream in the virus scanner?
- Why can't eBlocker provide a recognized certificate that can be used in all browsers? I think this problem occurs on many devices that don't allow manipulation (Amazon Fire, Apple TV, mobile devices, etc.). Storing self-signed certificates in proxies so that the https stream can be examined is not a solution.
- It is not a solution to enter all problems with certificates in the eBlocker yourself. That doesn't make any sense, because if you made an adjustment on the other side, you would have to do it again in the eBlocker. That is not acceptable in today's world.
- I use Windows Defender on Win 10 and it works just fine.
- See the link above that explains how SSL-bumping works. Make sure you understand the difference of root CA certificates - and authentication/webserver SSL certificates. Once understood - your question is answered.
BTW: You can just use eBlocker's Domain Blocker (and Personal Device Firewall) if you can't install the certificate (ie. for Apple TV, FireTV etc). - The Domain Blocker and the Personal Device Firewall are enabled by default for all eBlocker protected devices and there is no need for a certificate (or other) installation on the device.
THX!
- From the first answer, I gather that only the Windows Antivirus works properly. Was that understood correctly?
- Regarding the second question, I would like to ask again about the functionality of the SSL interception. Isn't the eBlocker certificate used to filter websites with https? So why shouldn't a self-signed certificate pose a problem with all browsers? Without the integration of the certificate, as described here, all https websites are classified as untrustworthy. Please explain that and also the many other questions in the forum about https and certificates. Please also comment on "https://eblocker.org/docs/certificate/" because it says that this self-signed certificate must be installed on all devices.
- Is "Personal Device Firewall" from eBlocker from the beta stage. I have the impression that there is still development going on here.
I gather that only the Windows Antivirus works properly. Was that understood correctly?
No, this is not correct. I just shared my personal experience and have not tested any other anti-virus software (as nowadays AVS makes not much sense in my eyes).
Please also comment on "https://eblocker.org/docs/certificate/" because it says that this self-signed certificate must be installed on all devices.
I know, reading and understanding technically complex matters is not everyones cup of tea. Even I tend to repeat myself, I‘m happy to try again:
All Certification Authorities (CA) root certificates are self-signed (by definition - otherwise it's not the root). The CA root certificates of trusted certificate issuers are pre-installed in each browser. This is necessary so a browser can validate a webserver‘s certificate (that‘s for instance signed by letsencrypt).
Now, eBlocker sets up it’s own CA to be able to intercept a website’s certificate. This is needed to decrypt the SSL traffic. To do so eBlocker terminates the SSL connection instead of the browser and issues a new webserver certificate signed on-the-fly with it‘s CA root key. With this technique the browser can validate this new (eBlocker’s) certificate signature, only if eBlocker‘s CA root certificate is installed as trusted CA. This way eBlocker gets the unencrypted traffic while the browser has a valid SSL connection - to what it believes is the original site.
I know this might sound difficult, as I‘m not a good teacher. Even if it’s not understood, please respect that this is high tech and SSL-bumping is industry standard for analyzing SSL traffic.
Repeating your question over and over is like constantly asking „why can‘t cars run without need for gas - my electric car runs without gas too“. You might realize that some sort of energy is always needed: power or gas. Same here. Of course we all wish for cars without energy need - and we also wish decrypting SSL without the installation of a CA root certificate. Both wishes are technically impossible to fulfill - unfortunately… Btw: this is good news as otherwise the security of the whole Internet would be breached.
Is "Personal Device Firewall" from eBlocker from the beta stage. I have the impression that there is still development going on here.
eBlocker‘s Domain Blocker has been released in 2016. It‘s designed to protect devices where a certificate can not be installed or where it‘s not favorable. This alternative protection approach was developed exactly for people with less tech skills and the use case, you‘ve discussed above "I'm unable/unwilling to install a certificate."
The Personal Devices Firewall (PDFW) is based on this Domain Blocker. The PDFW „just“ gives you additional freedom in analyzing the traffic from a particular devices and block connections individually - using the long established and well working Domain Blocker. Btw: which automatically blocks trackers with our curated block list.
Your impression that there is development going on with the PDFW is not correct. All features we‘ve released last year are stable and we are not aware of any issues. Nevertheless, we like to keep the beta status to lower expectations in case there are rare glitches taking place. This is to encourage users for feedback, so we can improve.
THX!
- BTW: You can just use eBlocker's Domain Blocker (and Personal Device Firewall) if you can't install the certificate (ie. for Apple TV, FireTV etc).
Are you sure this won't work with AppleTV?
There is the Apple Configurator with which you can upload profiles to the AppleTV.
Are you sure this won't work with AppleTV?
No, sorry - I‘m not an Apple expert, but users reported they couldn‘t install the certificate. 🤔
It would be great if you could share step by step instructions here. Then we can add these to the documentation, so everyone profits 👍
THX!
That was not a confirmation that it works but just a question.
I use an IPFire with Squid (+ Squidguard) as a proxy. I had used the proxy in the past with AppleTV. To not have to use a transparent proxy, I had created a profile with the Apple Configurator and pushed it to the AppleTV. As far as I remember, you can also install certificates via this way. Therefore the question.
Basically I would try it and report (and also write a tutorial if it works). But I have not installed eBlocker yet. I became aware of the product recently and am looking around.
If I see it correctly, you can install the following certificates: PKCS1and PKCS12
@stevie PKCS12 should match eBlocker‘s output to my knowledge. But some more verbose instructions would be great 😉
THX!
If I try eBlocker and it works with AppleTV, I will report (unfortunately there is apparently no DNSSEC and DoT yet).
Problem: I have little time at the moment.
Apple Configurator for Mac is an app that makes it easy to deploy iPad, iPhone, iPod touch, and Apple TV devices in your school or business.
https://support.apple.com/apple-configurator
Edit: https://support.apple.com/de-de/guide/deployment/dep91d2eb26/1/web/1.0