WFP Stream Layer and HTTPS RRS feed

  • Question

  • I've been building an HTML filter using WFP. I've been working on it for 2 years and I'm nearly done with the product.

    It uses the stream layer and intercepts both outgoing and incoming HTTP-80 and HTTPS-443 data.

    2 weeks ago, I was successfully getting outgoing HTTPS packet's before they were encrypted.

    In testing today, it appears the HTTPS packets are now encrypted when I get them from  the stream data.

    In particular Yahoo ad fetches are now HTTPS. 2 weeks ago, I saw the html as normal  text, but not anymore.

    It appears something changed. All the documentation I've read indicates I should be able to use the stream layer get these outgoing Get messages, before encryption.

    I've also checked the yahoo html and it doesn't appear they are doing anything different, other than just using HTTPS. 

    Is there some new magic needed?

    And with everyone shifting to HTTPs to try and  pretend they are blocking the NSA, these filters are not going to be very helpful without decrytped support.

    Thanks mrdclark@yahoo.com

    Saturday, January 18, 2014 6:58 PM


All replies

  • Dusty,

    I'm now getting Data such as the below when filtering the stream layer for the https port.

    This is pretty much useless for doing HTTP level filtering.


    Time: 1 19 2014  15:22:38

    flowid:  2

     —  “RÛí½ø­¦Ë1´$â™IC_A3µ•]÷æY7‚Zïnd$? xk~´^à=¦ºØGÞ-zÒ:p²j4ÞÆS&áþ   / 5 
    ÀÀÀ À
     2 8    2ÿ        ec.yimg.com      

    this is pretty much useless

    Also, I believe what I'm building will be a huge advantage for Windows as compared to Apple and Android!!!!!!

    Do I need a patch or something?

    Sunday, January 19, 2014 3:54 PM
  • HTTPS (SSL / TLS) encrypted traffic will always be encrypted end-to-end throughout WFP at this time.  This has been the case since day one.  The encryption / decryption takes place in a module outside of the TCP/IP stack (HTTP.sys)

    This thread may help:


    Hope this helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Monday, January 20, 2014 7:06 PM
  • Thanks Dusty,

    I must have confused the HTTP and HTTPs streams in my logs. I'm glad there seems to be a way, though it will require some more driver code. Fortunately, I started this activity at the TCP layer, so I'll dig up some of my old code.  Thanks so much, you are always very helpful. Also, once I get the product done, hopefully within a few months, I'd love to send you a free copy.

    Tuesday, January 21, 2014 4:00 PM