

Ask HN: Anyone know how bluecoat mess up with https? - chanux

I came across a guy who was boasting about the awesome ability of bypassing https that a web proxy named blueCoat has. The guy was quite confident about what he was saying. This left me shocked even though I knew it can not be breaking SSL but maybe some workaround.<p>After a bit of research I found I was right but I'm still curious to know if bluecoat can bypass https by _some way_.<p>Update: BlueCoat web site : http://www.bluecoat.com (I think this is the BlueCoat that guy was talking about)
======
tshtf
BlueCoat documents this fairly well here:
[http://directorblue.blogspot.com/2006/07/think-your-ssl-
traf...](http://directorblue.blogspot.com/2006/07/think-your-ssl-traffic-is-
secure-if.html)

When the SSL Proxy intercepts an SSL connection, it presents an emulated
server certificate to the client browser. The client browser issues a security
pop-up to the end-user because the browser does not trust the issuer used by
the ProxySG. This pop-up does not occur if the issuer certificate used by SSL
Proxy is imported as a trusted root in the client browser's certificate store.

The ProxySG makes all configured certificates available for download via its
management console. You can ask end users to download the issuer certificate
through Internet Explorer or Firefox and install it as a trusted CA in their
browser of choice. This eliminates the certificate popup for emulated
certificates...

Edit: Transparently pushing trusted CA certs to end-users in a typical
corporate environment is easy with group policy settings.

