One of the most complex problems with BYOD is how you connect your student and teacher devices to the Internet without creating a huge amount of work for yourself. Transparent proxy is your friend…kind of.
Some schools I’ve been talking to require the IT department to go hands on with each device before it is permitted onto the school network. This has the benefit that each device can be vetted and manually configured, but causes a huge amount of overhead for the IT department. This isn’t a scalable solution.
What we need is a way for teachers and students to connect up their devices to WiFi in a way they are familiar with but with as little configuration as possible. That’s where transparent proxy comes in.
What is Transparent Proxy?
When a user accesses the Internet through their web browser, transparent proxy intercepts the network traffic and directs it to either an upstream proxy or directly to the Internet. This means that there is no configuration required at all on each device. Students just connect their device and are on the Internet.
That sounds great, but there is a big problem with this system.
The Problem with Transparent Proxy
Transparent proxy cannot process HTTPS traffic. The problem is understandable if you consider what transparent proxy is doing with your data, however, it means that any website secured by an SSL certificate is not accessible without the manual configuration that we were trying to avoid.
Is it that much of a problem? Yes. Any service that you log in to or stores secure data (Google Apps, Office 365, iTunes, iPad App Store, Prezi, Blogger) will require an HTTPS connection.
How do we get Around This?
We need a solution that is less labour intensive than manually entering proxy server information. Part of the solution are PAC (proxy auto-config) files.
A .pac file is essentially a text file with a .pac extension which contains the information a device needs to connect to the Internet. The file can also contain scripting so, for example, we could enter local servers for which the proxy could be bypassed, or even use a different proxy server for different sites.
A basic PAC file
function FindProxyForURL(url, host)
{
return “PROXY proxy.example.com:8080; DIRECT”;
}
[/color-box]
These settings can then be entered as an option (option 252) on a DHCP server for automatic distribution.
Not very helpfully, most modern browsers are set to ignore these settings by default. Internet Explorer, for example, has to have the “Automatically detect settings” option selected, and iOS has to have the location of the file manually entered in the network settings option. This creates less complex end-user configuration, but still more than I would like.
The benefits of using a PAC files are that you can change proxy server settings centrally without having to edit the configuration on each device.
The PAC file can be stored locally, although to get the greatest benefit it should be hosted on a web server your BYOD devices can access.[color-box
rounded="false"
]
A slightly more complex PAC file which bypasses the proxy server for local servers
function FindProxyForURL(url, host)
{
if ((host=="localhost") ||
shExpMatch(host, "*localhost.*") ||
shExpMatch(host, "10.10.10.0/20") ||
shExpMatch(host, "17.0.0.0/8") ||
shExpMatch(host, "*moodle.school.com*") ||
shExpMatch(host, "*wifi.school.com*") ||
isPlainHostName(host) ||
(host == "127.0.0.1"))
{
return "DIRECT";
}
return "PROXY proxy.LEA.net:80"
}
[/color-box]
Is there anyway to transparently proxy HTTPS traffic?
The problem is HTTPS traffic is, by it’s very nature, secure. When you access a web page that uses HTTPS (like https://www.facebook.com), your browser creates an encrypted tunnel between your computer and Facebook. Nobody in between can access the information that is passed through the secure tunnel.
A proxy server sits in between you and Facebook and would have to terminate the secure connection and then reinstate it later on.
Technically this is possible, it’s what’s known as a “man-in-the-middle attack”, where a computer terminates a secure connection between two devices and imitates one to read the data being passed through. The problem with this is that the end-user will receive certificate errors like the one below:
I have had one company claim that they have a way to do this safely, but I have yet to see this actually in action.
What are you Doing?
As far as I can see there is no ideal solution to transparently proxying HTTPS traffic. Everyone I speak to has a slightly different solution. The route I am taking is to use transparent proxy to get BYOD devices connected to the Internet and then give instructions to using the PAC file if they need HTTPS access.
I tried the MITM approach years ago but abandoned the idea as it broke too many things, liability etc. Recently came across this blog post and it (any_proxy) works a treat: http://blog.rchapman.org/post/47406142744/transparently-proxying-http-and-https-connections
Thanks for this. I’ll give it a test out!
Another option is rather than use a transparent (interception) proxy is to redirect all port 80 to a local webpage explaining how to configure your devices to use the proxy (ie, turn on auto, set the url for your proxy.pac, whatever).
This avoids some of the issues with interception proxies, avoids overloading your IT dept, and quickly gets most people setup correctly for both http and https.
Of course interception proxies are still nice for all those retarded little web-client apps that don’t have proxy settings.
That’s a great idea. Thanks for the tip!
Can’t you set up DHCP (or DNS) to push the proxy to the clients via WPAD? Then joining the mobile device to the network would set up the URL to your pac file automatically.
Your article is out of data. Squid 3.3 supports transparent ssl caching. As for your certificate errors, you can get rid of this error by issuing a self signed trusted certificate.
Hi,
Thanks for the update. When I get some time I will update the article.
Karl
Hi Karl, I connect to my companies wifi on my android smartphone, it is a secure connection(had to enter password) now automatically connects when I’m in range.
Would I know if my company was using a proxy server as I have not done anything to configure my smartphone, i just connect to it like I do when I’m at home or could they secretly have one?
Thanks,
Bobby.
Hi Bobby,
It’s possible your company could be using transparent proxy which means you’d just have to connect to the WiFi and you would have net access. It’s also possible they don’t have one at all.
You could find out by installing a terminal program on your phone and running ‘tracert google.com’. This will tell you the route your phone is taking out of the network.
Hope this helps.
Karl
Hi Karl thankyou for your reply, at work today I went onto certain websites and none of them could detect a proxy server when I connected to the wifi, I even did a test for an invisible one on Lagado and it did’nt detect anything.
Is there any other way anyone could see what I’m searching for on my smartphone when connected to the wifi where I work, I do my internet banking and have used watsapp so was just wondering how much someone who is in charge of the network could actually see. It is my own personal device.
Many thanks,
Bobby
Hi Bobby,
It it possible, but the amount of work your network administrator would have to do to view HTTPS traffic sent to your bank wouldn’t be worth it. I think you’re safe!
Karl
Karl,
I am a Deputy IT Manager at a school in Somerset and we have been using a filtering system from a Company Called Opendium (http://www.opendium.com/solutions/iceni). I highly recommend them for Internet and Mail Filtering.
Regards
Lawrence
Hi there,
Our school has transparent proxy in the form of:
http://proxy.cambsed.net/student.pac port 80
I have been trying to configure this on the raspberry pi but it is not working. Do you have any suggestions for this?
Thanks.
Hi,
We’ve managed to do this but how you do it depends on which OS you’re using. If you let me know I will try to post instructions.
Karl
I’m not understanding the assertion that transparent proxies can’t handle HTTPS. You can install a root CA on Windows without even having to ask the user to accept the cert, keep the private key in memory and not part of the cert, then generate spoofed certificates on the fly copying data out of the real certs as you go. You store these in memory and when the program is closed, the installed root CA becomes useless (no private key attached) and all of your spoofed certs are as well, since they were in memory and now gone forever.
As long as you’re still verifying the certs you’re spoofing and passing down verification failures to the client, you’re doing absolutely nothing that can create “liability” or a “vulnerability”. You’re not breaking the security system, you’re using it precisely the way it’s meant to be used. For a long time I was worried I was doing something bad because of armchair experts on the interwebs preaching that it’s vulnerable or yada yada. The fact is people are automatically paranoid and thus irrational when discussing matters of security. Just because you’re tinkering with a security feature, that doesn’t mean you’re doing something bad or making it vulnerable. In fact such a system could be used to harden security, by plugging in a whitelist of certificate authorities much like Mozilla has done in firefox, you’ve now turned your “evil” man in the middle into a extra layer of security that is explicitly STOPPING man in the middle attacks.
Oh and last thing, you only get browser security alerts if you’re doing it wrong. My transparent mitm proxy doesn’t throw browser alerts. It does handle TLS. It detects malicious HTML/JS being sent to the client. It detects invalid, false and exploited certificates. Nothing evil, improved security rather than compromised, secured by TLS.
Hi,
Thanks for your input. You’re completely right, in fact we’ve just implemented exactly the scenario you’ve suggested with our Chromebooks. When I get time I’ll do a follow up to this article with your points.
Thanks again!
Karl
How would you accomplish this setup with an iPad as the client