Why Proxy is Still Decrypting HTTPS?¶
Q: We have deployed Web Safety within our LAN but according to the corporate policies we did NOT enable HTTPS decryption. Still, we sometimes get the error from the browser telling us that the HTTPS connection was decrypted. Why is it so?
For Firefox we get the following error.
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to www.example.com.
If you visit this site, attackers could try to steal information like your passwords,
emails, or credit card details.
For Microsoft Edge/Google Chrome we get the following error.
Your connection isn't private
Attackers might be trying to steal your information from example.com (for example,
passwords, messages, or credit cards).
A: If the browser has made a connection using HTTPS and the proxy cannot satisfy the browser request, the proxy tries to be helpful and explain why the request cannot be satisfied. To do that, it needs to present the page with explanation text to the user, for example, access to the proxy is denied or firewall prevented connection to the origin server or even the origin server does not exist.
Unfortunately, as the connection was made using HTTPS, the proxy needs to decrypt it first to show the message - and when you have NOT installed the Root Decryption Certificate of the proxy as trusted in the browser (because you do not need to filter HTTPS) - the browser gives that frightening message.
If this happens on any connection to any site - then most probably the proxy needs additional configuration in order to work correctly, for example, if you have a proxy deployed in the cloud and client made the connection to it using public Internet IP address, you would need to configure proxy authentication as explained in the article Allow Connections to Proxy in Microsoft Azure.