• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
ClassThink

ClassThink

School Technology Guides

  • E-mail
  • Facebook
  • RSS
  • Twitter
  • YouTube
  • HOME
  • LATEST
  • Featured
  • School App Search
    • Search
    • Dashboard
    • Directory Login
  • TEACHER GUIDES
    • Microsoft Teams
      • Microsoft Teams Teacher’s Hub
    • Microsoft OneDrive
    • Microsoft Stream
    • Microsoft Office
    • Microsoft Edge
    • Microsoft OneNote
    • Microsoft Office
    • Microsoft Outlook
    • Microsoft Windows
    • Microsoft SDS
    • Google Classroom
    • Google Meet
    • Zoom
  • REVIEWS
  • NEWSLETTER
  • ABOUT
    • Contact Us
    • About ClassThink
    • Support ClassThink
    • Write for ClassThink
    • Advertising and Sponsorship
You are here: Home / iPad / Transparent Proxies, HTTPS, and iPads…Oh My!

Transparent Proxies, HTTPS, and iPads…Oh My!

6 August 2013 by Karl Rivers 17 Comments

One of the most complex problems with BYOD is how you connect your student and teacher devices to the Internet without creating a huge amount of work for yourself. Transparent proxy is your friend…kind of.

Some schools I’ve been talking to require the IT department to go hands on with each device before it is permitted onto the school network. This has the benefit that each device can be vetted and manually configured, but causes a huge amount of overhead for the IT department. This isn’t a scalable solution.

What we need is a way for teachers and students to connect up their devices to WiFi in a way they are familiar with but with as little configuration as possible. That’s where transparent proxy comes in.

What is Transparent Proxy?

When a user accesses the Internet through their web browser, transparent proxy intercepts the network traffic and directs it to either an upstream proxy or directly to the Internet. This means that there is no configuration required at all on each device. Students just connect their device and are on the Internet.

That sounds great, but there is a big problem with this system.

The Problem with Transparent Proxy

Transparent proxy cannot process HTTPS traffic. The problem is understandable if you consider what transparent proxy is doing with your data, however, it means that any website secured by an SSL certificate is not accessible without the manual configuration that we were trying to avoid.

Is it that much of a problem? Yes. Any service that you log in to or stores secure data (Google Apps, Office 365, iTunes, iPad App Store, Prezi, Blogger) will require an HTTPS connection.

How do we get Around This?

We need a solution that is less labour intensive than manually entering proxy server information. Part of the solution are PAC (proxy auto-config) files.

A .pac file is essentially a text file with a .pac extension which contains the information a device needs to connect to the Internet. The file can also contain scripting so, for example, we could enter local servers for which the proxy could be bypassed, or even use a different proxy server for different sites.

A basic PAC file

function FindProxyForURL(url, host)
{
return “PROXY proxy.example.com:8080; DIRECT”;
}

[/color-box]

These settings can then be entered as an option (option 252) on a DHCP  server for automatic distribution.

Not very helpfully, most modern browsers are set to ignore these settings by default. Internet Explorer, for example, has to have the “Automatically detect settings” option selected, and iOS has to have the location of the file manually entered in the network settings option. This creates less complex end-user configuration, but still more than I would like.

The benefits of using a PAC files are that you can change proxy server settings centrally without having to edit the configuration on each device.

The PAC file can be stored locally, although to get the greatest benefit it should be hosted on a web server your BYOD devices can access.[color-box rounded="false"]

A slightly more complex PAC file which bypasses the proxy server for local servers

function FindProxyForURL(url, host)
{
if ((host=="localhost") ||
shExpMatch(host, "*localhost.*") ||
shExpMatch(host, "10.10.10.0/20") ||
shExpMatch(host, "17.0.0.0/8") ||
shExpMatch(host, "*moodle.school.com*") ||
shExpMatch(host, "*wifi.school.com*") ||
isPlainHostName(host) ||
(host == "127.0.0.1"))
{
return "DIRECT";
}
return "PROXY proxy.LEA.net:80"
}

[/color-box]

Is there anyway to transparently proxy HTTPS traffic?

The problem is HTTPS traffic is, by it’s very nature, secure. When you access a web page that uses HTTPS (like https://www.facebook.com), your browser creates an encrypted tunnel between your computer and Facebook. Nobody in between can access the information that is passed through the secure tunnel.

A proxy server sits in between you and Facebook and would have to terminate the secure connection and then reinstate it later on.

Technically this is possible, it’s what’s known as a “man-in-the-middle attack”, where a computer terminates a secure connection between two devices and imitates one to read the data being passed through. The problem with this is that the end-user will receive certificate errors like the one below:

I have had one company claim that they have a way to do this safely, but I have yet to see this actually in action.

What are you Doing?

As far as I can see there is no ideal solution to transparently proxying HTTPS traffic. Everyone I speak to has a slightly different solution. The route I am taking is to use transparent proxy to get BYOD devices connected to the Internet and then give instructions to using the PAC file if they need HTTPS access.

Have you come across this issue in your school? What solution are you putting in place? Let me know in the comments.

You might also like...

Filed Under: BYOD, iPad

This page contains references to products from one or more of our advertisers. We may receive compensation when you click on the links to these products. For an explanation of our Affiliate Policy, please visit this page.

About Karl Rivers

Karl Rivers is a Director of IT who has worked in education for more than twenty years. He won the Naace Impact Award for Supporting School Services.

Reader Interactions

Comments

  1. tmackay says

    09/04/2013 at 7:20 am

    I tried the MITM approach years ago but abandoned the idea as it broke too many things, liability etc. Recently came across this blog post and it (any_proxy) works a treat: http://blog.rchapman.org/post/47406142744/transparently-proxying-http-and-https-connections

    Log in to Reply
    • Karl Rivers says

      09/04/2013 at 8:15 am

      Thanks for this. I’ll give it a test out!

      Log in to Reply
  2. Donovan Baarda says

    11/20/2013 at 11:52 pm

    Another option is rather than use a transparent (interception) proxy is to redirect all port 80 to a local webpage explaining how to configure your devices to use the proxy (ie, turn on auto, set the url for your proxy.pac, whatever).

    This avoids some of the issues with interception proxies, avoids overloading your IT dept, and quickly gets most people setup correctly for both http and https.

    Of course interception proxies are still nice for all those retarded little web-client apps that don’t have proxy settings.

    Log in to Reply
    • Karl Rivers says

      11/21/2013 at 6:34 am

      That’s a great idea. Thanks for the tip!

      Log in to Reply
  3. Mark says

    03/20/2014 at 9:39 am

    Can’t you set up DHCP (or DNS) to push the proxy to the clients via WPAD? Then joining the mobile device to the network would set up the URL to your pac file automatically.

    Log in to Reply
  4. Fast Farmer says

    06/04/2014 at 2:20 am

    Your article is out of data. Squid 3.3 supports transparent ssl caching. As for your certificate errors, you can get rid of this error by issuing a self signed trusted certificate.

    Log in to Reply
    • Karl Rivers says

      06/04/2014 at 2:42 pm

      Hi,

      Thanks for the update. When I get some time I will update the article.

      Karl

      Log in to Reply
      • Bobby Smith says

        07/27/2014 at 3:07 pm

        Hi Karl, I connect to my companies wifi on my android smartphone, it is a secure connection(had to enter password) now automatically connects when I’m in range.
        Would I know if my company was using a proxy server as I have not done anything to configure my smartphone, i just connect to it like I do when I’m at home or could they secretly have one?

        Thanks,
        Bobby.

        Log in to Reply
        • Karl Rivers says

          07/27/2014 at 4:31 pm

          Hi Bobby,

          It’s possible your company could be using transparent proxy which means you’d just have to connect to the WiFi and you would have net access. It’s also possible they don’t have one at all.

          You could find out by installing a terminal program on your phone and running ‘tracert google.com’. This will tell you the route your phone is taking out of the network.

          Hope this helps.

          Karl

          Log in to Reply
  5. Bobby says

    07/28/2014 at 6:34 pm

    Hi Karl thankyou for your reply, at work today I went onto certain websites and none of them could detect a proxy server when I connected to the wifi, I even did a test for an invisible one on Lagado and it did’nt detect anything.
    Is there any other way anyone could see what I’m searching for on my smartphone when connected to the wifi where I work, I do my internet banking and have used watsapp so was just wondering how much someone who is in charge of the network could actually see. It is my own personal device.

    Many thanks,

    Bobby

    Log in to Reply
    • Karl Rivers says

      08/02/2014 at 8:37 pm

      Hi Bobby,

      It it possible, but the amount of work your network administrator would have to do to view HTTPS traffic sent to your bank wouldn’t be worth it. I think you’re safe!

      Karl

      Log in to Reply
  6. Lawrence says

    11/03/2014 at 9:44 am

    Karl,

    I am a Deputy IT Manager at a school in Somerset and we have been using a filtering system from a Company Called Opendium (http://www.opendium.com/solutions/iceni). I highly recommend them for Internet and Mail Filtering.

    Regards
    Lawrence

    Log in to Reply
  7. faz says

    01/11/2015 at 10:59 pm

    Hi there,

    Our school has transparent proxy in the form of:
    http://proxy.cambsed.net/student.pac port 80
    I have been trying to configure this on the raspberry pi but it is not working. Do you have any suggestions for this?

    Thanks.

    Log in to Reply
    • Karl Rivers says

      01/12/2015 at 1:04 pm

      Hi,

      We’ve managed to do this but how you do it depends on which OS you’re using. If you let me know I will try to post instructions.

      Karl

      Log in to Reply
  8. Digital Architect says

    03/03/2015 at 9:31 am

    I’m not understanding the assertion that transparent proxies can’t handle HTTPS. You can install a root CA on Windows without even having to ask the user to accept the cert, keep the private key in memory and not part of the cert, then generate spoofed certificates on the fly copying data out of the real certs as you go. You store these in memory and when the program is closed, the installed root CA becomes useless (no private key attached) and all of your spoofed certs are as well, since they were in memory and now gone forever.

    As long as you’re still verifying the certs you’re spoofing and passing down verification failures to the client, you’re doing absolutely nothing that can create “liability” or a “vulnerability”. You’re not breaking the security system, you’re using it precisely the way it’s meant to be used. For a long time I was worried I was doing something bad because of armchair experts on the interwebs preaching that it’s vulnerable or yada yada. The fact is people are automatically paranoid and thus irrational when discussing matters of security. Just because you’re tinkering with a security feature, that doesn’t mean you’re doing something bad or making it vulnerable. In fact such a system could be used to harden security, by plugging in a whitelist of certificate authorities much like Mozilla has done in firefox, you’ve now turned your “evil” man in the middle into a extra layer of security that is explicitly STOPPING man in the middle attacks.

    Oh and last thing, you only get browser security alerts if you’re doing it wrong. My transparent mitm proxy doesn’t throw browser alerts. It does handle TLS. It detects malicious HTML/JS being sent to the client. It detects invalid, false and exploited certificates. Nothing evil, improved security rather than compromised, secured by TLS.

    Log in to Reply
    • Karl Rivers says

      03/03/2015 at 12:04 pm

      Hi,

      Thanks for your input. You’re completely right, in fact we’ve just implemented exactly the scenario you’ve suggested with our Chromebooks. When I get time I’ll do a follow up to this article with your points.

      Thanks again!

      Karl

      Log in to Reply
    • Joe says

      03/10/2015 at 9:40 pm

      How would you accomplish this setup with an iPad as the client

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

  • E-mail
  • Facebook
  • RSS
  • Twitter
  • YouTube

You might also like...

Popular School Apps

  • Bromcom Computers Plc

    Bromcom Computers Plc

    MIS/SIS System

  • CleverTouch

    CleverTouch

    Classroom Screens & Projectors

  • Capita SIMS

    Capita SIMS

    MIS/SIS System +3 Parent Communications, Parent Portal, Parents Evenings,

  • Wakelet

    Wakelet

    Learning Platform +1 Social Bookmarking,

  • BKSK

    BKSK

    Assessments +1 Educational Games & Quizzes,

Latest Edtech News

Virtual breakout rooms for Microsoft Teams – everything you need to know

Download the free OneNote for Team Collaboration eBook

New Surface Laptop Go Announced

Featured

Best Chromebooks for students in 2021

Create beautiful infographics for your classroom

Record online lessons with Camtasia

Naace Impact Awards Winner

Footer

Recent

  • Best Chromebooks for students in 2021
  • Create beautiful infographics for your classroom
  • Virtual breakout rooms for Microsoft Teams – everything you need to know
  • Record online lessons with Camtasia
  • Download the free OneNote for Team Collaboration eBook
  • New Surface Laptop Go Announced
  • Managing Windows 10 in schools with Intune and Autopilot
  • How to stop students unmuting themselves in Microsoft Teams
  • How to spotlight students & demonstrations in Microsoft Teams meetings
  • How to record a PowerPoint presentation as a video
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Recent Forum Topics

  • JvFHf5vfJ HyVSv2mpZ
  • Use VPN Security
  • How less is more with application development
  • How Much Does it Cost to Make an App like Uber
  • Microsoft Team class not appearing for teacher but is correct in Teams admin
  • FCM Test Notification!!! message in Microsoft Teams
  • FAQ: Can students begin a meeting in a private channel in Microsoft Teams
  • Microsoft Lists for Education
  • Benefits of hiring a ghostwriter
  • Things You Need To Make An Android App

Most Popular Posts

  • How to turn off chat for students in Microsoft Teams
  • How to stop students muting and kicking others in Microsoft Teams video meetings
  • How to delete a video from Microsoft Teams
  • How to record and share a lesson in Microsoft Teams
  • How to enable Large Gallery view and Together Mode in Microsoft Teams
  • How to mute students in Microsoft Teams
  • Virtual breakout rooms for Microsoft Teams - everything you need to know
  • How to record a PowerPoint presentation as a video
  • How to set and mark an assignment in Microsoft Teams
  • Best webcams for schools, classrooms, and assemblies in 2020
  • E-mail
  • Facebook
  • RSS
  • Twitter
  • YouTube

Copyright © 2021 · ClassThink.com · Affiliate Disclaimer · Privacy Policy · Here's the secret · Log in