HTTPS redirects to HTTP for monitoring

chris tknchris at
Sun Jan 18 15:25:54 UTC 2015


I have been going through something very interesting recently that relates
to this. We have a customer who google is flagging for "abusive" search
behavior. Because google now forces all search traffic to be SSL, it has
made attempting to track down the supposed "bad traffic"  extremely
difficult. We have contacted google through several channels and no one at
google who we've worked with is able to provide us any factual examples of
what they are seeing and because of the traffic being encrypted all our
usual capture and analysis tools have been fairly useless.

I'm sure this this will be more and more prevalent but its really
frustrating when the vendor who forces SSL cannot or will not provide
actual documentation that can help us investigate. So far the only ideas
we've come up with are to play some tricks with DNS overrides and force the
users to non SSL search so we can inspect http traffic or we were also
looking into doing something like using SQUID mitm SSL and allow us to at
least inspect the traffic there.

Overall we're not thrilled about the other side effects / implications that
can be caused by these workarounds, and in this situation our customer who
happens to be a customer of several google apps is very disappointed that
they cannot be more cooperative.

I am very interested to hear if others have run into similar situations and
how it was handled etc. I am sure we will see this type of issue again with
the number of hosted and SaaS solutions growing exponentially, so we are
looking into various options so that in the future we have better
accomodations to handle this situation with or without cooperation on the
hosted side.


On Sun, Jan 18, 2015 at 7:29 AM, Grant Ridder <shortdudey123 at>

> Hi Everyone,
> I wanted to see what opinions and thoughts were out there.  What software,
> appliances, or services are being used to monitor web traffic for
> "inappropriate" content on the SSL side of things?  personal use?
> enterprise enterprise?
> It looks like Websense might do decryption (
> while Covenant Eyes does
> some sort of session hijack to redirect to non-ssl (atleast for Google) (
> Thoughts on having a product that decrypts SSL traffic internally vs one
> that doesn't allow SSL to start with?
> -Grant

More information about the NANOG mailing list