How does HTTPS inspection work with SafeSquid
How does HTTPS inspection work with SafeSquid?
1. When user/client request a secure webpage say https://www.xyz.com (a HTTPS site) from the browser, SafeSquid will get CONNECT request from the client browser.
2. SafeSquid will check configuration whether the user is allowed or denied to access to https://www.xyz.com. If access is denied to such websites, then, SafeSquid will send blocked template to that user’s browser and closes connection.
3. If access to https://www.xyz.com allowed to client then SafeSquid checks whether SSL inspection enabled for site or not?
If HTTPS inspection is disabled then SafeSquid resolve IP of xyz.com with the help of DNS and establishes connection to the www.xyz.com. Client browser checks the trust of the www.xyz.com server. Client browser encrypts data using server public key and sends back to server. There is no possibility for SafeSquid to check what client is sending to server and what is coming to client’s browser from the server. SafeSquid will not check what is going on inside connection.
If HTTPS inspection enabled then
i) SafeSquid resolves IP of www.xyz.com with the help of DNS and establishes connection to the www.xyz.com.
ii) SafeSquid performs SSL handshake with server.
SafeSquid sends client hello message to the server in the process of SSL handshake.
SafeSquid will get server public key in server hello message from the server in the process of SSL handshake.
SafeSquid will check the trust of the www.xyz.com certificate with the help of trusted root ca bundle.
If SafeSquid finds that certificate expired or invalid then SafeSquid allows or blocks the access to the site based on configuration.
If SafeSquid finds that server certificate is valid then SafeSquid performs SSL handshake with client.
After this SafeSquid uses server certificate (public key) to encrypt the data that will be sent to server. Further server can decrypt the data sent by the SafeSquid and returns response accordingly.
iii) SafeSquid performs SSL handshake with client
Client browsers send client hello message to the SafeSquid server in the process of SSL handshake.
SafeSquid will check whether public key and private key for www.xyz.com site does exist in the disk or not. If site does not exist then SafeSquid will create public key and private key for www.xyz.com and store them in the disk for reusability.
SafeSquid will send back created server public key in server hello message to the client browsers in the process of SSL handshake with client.
Client browsers further verify the trust of the certificate (public key) sent by SafeSquid. To verify the trusted certificate clients, need to import Safesquid.cer certificate into their browsers trusted authority.
After this client uses SafeSquid created certificate (public key) to encrypt the data that will be sent to SafeSquid. SafeSquid can decrypt the data sent by clients with the help of created private key and checks the data and sends it to server by encrypting data with the server public key.
Related Articles
Setup HTTPS Inspection
Overview Over the couple of years, the internet is changing its dimensions in terms of security. The web is shifting towards HTTPS, to deliver secure services to users. “The main motivation for HTTPS is authentication of the visited website and ...How does HTTPS work
When you prepare your web server to use HTTPS you will be asked a few questions about your website and your company including your web site's domain name and your company's name and location. Your web server then creates two cryptographic keys: a ...Enabling HTTPS inspection on SafeSquid User Interface
Access the SafeSquid interface Go to Configure Page Open Real time content security side menu Open HTTPS Inspection section Enable HTTPS Inspection Note: In newer versions of SafeSquid which are released after June-2017, setup tab is removed. You ...Bypass HTTPS Inspection by using Request Types
Business challenge The HTTPS inspection Bypass option enables you to define specific websites that are not subject to decryption as they flow through the proxy. Some websites may include personal identification information that should not be decrypt. ...Generating certificate which is required for HTTPS Inspection
Importance of Certificates/ Why HTTPS-aware applications, like Internet Browsers, use SSL/TLS protocols to prevent communication with malicious web services. The SSL / TLS protocols enable applications to verify the identity of the remote web ...