JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Thu, 2 Jun 2011 13:04:00 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (42 lines)
Freeport HS discovered an odd bug with Safari not blocking HTTPS sites
under the following conditions:

1. System is configured to automatically detect proxy settings using
WPAD or manually configured to use a WPAD script.
2. Force MECguard SSL is not checked

The issue was hard to track down because the HTTPS requests will get
logged by MECguard as blocked, but go through fine on the host.

After some digging we discovered that Safari incorrectly makes
requests to both the proxy server and a direct request instead of only
making a proxy request and will prefer the direct request if it gets a
response.  The result is that pages appear to get blocked in the log,
but are allowed through to the user.

Checking the "Force MECguard SSL" option for the group prevents Safari
from being able to complete the direct request and will make it use
the proxy.

This with the current version of Safari.  I'm not sure if previous
versions act the same way, but I highly suspect they do and this is an
Apple "feature" to avoid interrupting browsing from broken proxy
configuration scripts.

Firefox and Chrome work correctly and use the proxy only every time.

Note that if using MECguard SSL you should be using the Force option
as any technical student will be able to get around the filter unless
it's forced, so this issue is really something you might encounter
during testing or transition to MECguard SSL.

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2