Last update: January 18, 2021
Understanding this article may require some basic knowledge about encryption, the TLS protocol, and HTTPS.
First, look at this simple diagram that shows the general structure of the HTTPS protocol:
AdGuard copies properties of the TLS-connection that your browser uses:
Effectively, it means that if you use a modern, safe browser, it will take all known TLS problems into account and won’t attempt to use unsafe ciphers.
What does AdGuard do when there are any doubts about the certificate’s validity? In such cases, AdGuard entirely ceases filtering of all connections to this domain and leaves the browser in charge of all decisions.
HTTPS filtering in AdGuard has its drawbacks. Almost all of them are scheduled to be eliminated in the next few AdGuard versions.
All the issues known to us and the ETAs on their fixes are listed below.
The most important drawback of the HTTPS filtering mechanism is that it hides the real certificate of a website. You cannot simply check its original certificate because you can only see the one issued by AdGuard.
This problem is solved in Browser Assistant. This browser extension helps you manage filtering directly from the browser and allows you to inspect the original certificate of any website.
Thanks to modern cryptography, browsers can usually detect malicious websites that are provisioned with forged or fake SSL certificates. However, current cryptographic mechanisms aren’t so good at detecting malicious websites if they’re provisioned with mistakenly issued certificates or certificates that have been issued by a certificate authority (CA) that’s been compromised or gone rogue. Certificate Transparency aims to remedy these certificate-based threats by making the issuance and existence of SSL certificates open to scrutiny by domain owners, CAs, and domain users.
Browsers ignore the
Expect-CT header in the case of local certificates, and, to achieve the same level of security, we must implement the certificate transparency check on our side.
ETA: ETA is Q3 2021.
If you’d like to add something, report any errors, or ask a question, please contact us at:
devteam at adguard.com.