AdGuard Assistant missing on *all* HTTPS-sites

Larry Laffer

New Member
Hi,

when opening any secure site (HTTPS) on none of them the AA appears. This does not depend on the sites content as for instance a diff check of http://www.wetter.de (AA available) vs. https://www.wetter.de (AA unavailable) shows.
Thats a PITA bc it requires a lot of time and programming/scripting knowledge to filter out some elements on HTTPS sites.

AG 5.10.2051.6368, AA 3.0.80 (and older), HTTPS scanning enabled, requested sites not in exception list

Please fix.

Thank you

P.S. same behavior /w AG 6.0.103.580 and AA 3.0.80
 

Larry Laffer

New Member
FF 42, IE8, Icewaesel 24.6.0, Safari of iOS 5.1.1. - it's all the same.
No matter if I use direct filtering (intended mode of AG: Browser and AG on the same machine) or do filter a proxy used by iOS and Win and lx.
 

Boo Berry

Moderator + Beta Tester
Moderator
What Windows OS are you using?

As for IE8, I don't believe the Assistant is supported there anymore due to security concerns. Adguard for iOS also doesn't support HTTPS filtering - I'm not sure, but I don't believe it's possible to support HTTPS filtering on iOS at all.

Iceweasel? That's Debian's de-branded Firefox release. There was an old port to Windows several years ago, but it hasn't been updated as far as I can tell. Also it won't be on Adguard's default app filtering list, so you'd have to manually add it. If you're using Debian for Iceweasel you'll have to use the Adguard for Firefox browser extension.
 

Larry Laffer

New Member
I'm a bit surprised you didn't get the idea of "AA is shown on sites accessed by HTTP but not on sites accessed by HTTPS". We talk about the exact same site accessed from the exact same machine by either http://... or https://...
So if it works for HTTP I do not see why it was the machine/browser if it doesn't work for HTTPS.

To answer your questions:
The machines are XPSP3 (AG and FF on same machine) and 2k3SP2 as proxy server (AG and proxy software on same machine).

As for IE8 I didn't test today but AFAIR it used to work back then.

I am not using AG4iOS but above mentioned proxy (AG4iOS does not support original iPad :( ). So yes, HTTPS is in fact filtered by AG (I had to import the cert to make it work).

Iceweasel on Debian. And it's filtered by AG (above mentioned proxy).


But anyway: Just make it work for HTTPS sites in FF42, please, and it'll magicall work for the other systems too, I'm sure.
 
Last edited by a moderator:

avatar

Administrator
Staff member
Administrator
Follow up on our remote access session.


Issue #1: Windows XP + Adguard v5
The problem was that you've suppressed requests to "injections.adguard.com". Because of that Adguard was not filtering these requests at all, hence AA was not injected to the webpages. Resolved with installing Adguard v6 which uses a better way with "local.adguard.com".

Issue #2: Windows 2003 + Adguard v6 + FreeProxy
The problem is that Windows 2003 does not support SHA256 hashed certificates.

1. Most of the root authorities nowadays are sha256 hashed.
2. Adguard uses WinApi methods for certificates validation.
3. Because lack of sha256 support, Adguard considered most of SSL certificates invalid. If Adguard fails to verify certificate it stops SSL filtering for that domain.
4. That is also the reason why most of https websites were not working in IE.

More information about sha256 support in older windows versions:
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
 
Last edited by a moderator:

Larry Laffer

New Member
Issue #1: Windows XP + Adguard v5
The problem was that you've suppressed requests to "injections.adguard.com". Because of that Adguard was not filtering these requests at all, hence AA was not injected to the webpages. Resolved with installing Adguard v6 which uses a better way with "local.adguard.com
Pls correct/delete me if I'm wrong: I see the issue in AG having 'remembered' it's own cert as invalid*.
So as a feature request: Re-validate 'invalid' certs every once in a while. You even can do this in the background (but use a checkbox in config to enable backround check (enabled by default) so paranoid ppl like me don't suspect you to leak info).
Why? Same issue might happen after MITM attacks (or mandatory/transparent proxies), invalidating sites certs 'forever' is IMHO counterproductive (especially your own!! ;) ).


* I presented AG a false cert by redirecting injections.adguard.com (using DNS/hosts) to stunnel.org's stunnel.exe on localhost which presents no valid cert

---------- Post added at 09:31 PM ---------- Previous post was at 08:20 PM ----------

So as a feature request: Re-validate 'invalid' certs every once in a while.
Why do you save that info at all? What is the actual performance gain (in user experience, a.k.a. ms delay) of using your db to not check a presented cert* vs. requesting a cert and (re-)checking it?

* thinking a cert was invalid bc it had been invalid once in the past
 

avatar

Administrator
Staff member
Administrator
Pls correct/delete me if I'm wrong: I see the issue in AG having 'remembered' it's own cert as invalid*.
So as a feature request: Re-validate 'invalid' certs every once in a while. You even can do this in the background (but use a checkbox in config to enable backround check (enabled by default) so paranoid ppl like me don't suspect you to leak info). Why? Same issue might happen after MITM attacks (or mandatory/transparent proxies), invalidating sites certs 'forever' is IMHO counterproductive (especially your own!! ;) ).
We of course re-validate certs. Cache is flushed on every Adguard run.

* I presented AG a false cert by redirecting injections.adguard.com (using DNS/hosts) to stunnel.org's stunnel.exe on localhost which presents no valid cert
The cert itself can't be valid, it's also a pair "domain" - "certificate".

Why do you save that info at all? What is the actual performance gain (in user experience, a.k.a. ms delay) of using your db to not check a presented cert* vs. requesting a cert and (re-)checking it?
Performance gain is huge. Verifying cert involves sending a web request to a OCSP server and that can take much time.
 

iScriptShift

New Member
*Also i would like to say this is happening to me too. Sites like yahoo and google, AA doesn't come up (mainly after this last ag update). Things like ebay and such is sweet.

(btw andrey this issue is on my laptop on which I still have the extensions enabled and wfp disabled. not on my desktop pc which we had a remote session on!)
 

avatar

Administrator
Staff member
Administrator
*Also i would like to say this is happening to me too. Sites like yahoo and google, AA doesn't come up (mainly after this last ag update). Things like ebay and such is sweet.
Are the ads blocked at that time?
Have you tried cleaning browser cache?
 

iScriptShift

New Member
Are the ads blocked at that time?
Have you tried cleaning browser cache?
Ads are blocked. I never keep browser cache. (Auto deletes on exit). Still happening as of today.

Like as on Wikipedia, it isn't coming up since it's "https://...." here at adguard forum it's not https, assistant is here.
 

mysteriously

Beta Tester & Translator
iScriptShift@: Hmm, so:
1) Ads are blocked on both HTTP and HTTPS websites
2) The assistant does not appear on HTTPS websites and works fine on HTTPS
3) Did you notice any other weird behavior like blocked ads but not removed ads placeholders, empty boxes in places of ads or just text ads?
 

iScriptShift

New Member
@Avatar - Well I don't think I have time for more remote sessions until months now. This Thursday i'm leaving for a 40+ days holidays for Christmas and stuff so I won't be able to use my PC. I'll just have ipads and such posting here.

@Buuuuuuuuuuu190 - 1) Yes, ads are blocked though.
2) The assistant DOES NOT appear on HTTPS, but APPEARS on HTTP. :)
3) I haven't noticed anything else than that lately.
 

mysteriously

Beta Tester & Translator
So it happens for me as well. All I need to do is to leave browser in background and just do other tasks like playing any Steam game. Then after some time the assistant is gone.
Sometimes I also see unfixed blank space in place where ad was removed.
 

avatar

Administrator
Staff member
Administrator
Wow, so steam is breaking injecting CSS/JS on HTTPS websites?

How is that possible?:) Mind if I take a look through remote access?
 

mysteriously

Beta Tester & Translator
No, I meant it breaks 'by itself', it just needs a time :)
Sure, if you are patient enough to do it on slow netbook and with such sick configuration as mine :)
Team Viewer 10 or 11?
 

mysteriously

Beta Tester & Translator
On Youtube sometimes it looks like this



The loading circle was spinning because I already clicked on 1st video and then took the screenshoot.
I won't touch anything when the issue occur next time (will not let the PC go to sleep mode etc.)
 

avatar

Administrator
Staff member
Administrator
On Youtube sometimes it looks like this



The loading circle was spinning because I already clicked on 1st video and then took the screenshoot.
I won't touch anything when the issue occur next time (will not let the PC go to sleep mode etc.)
Would be great, I'd like to see it with my own eyes
 
Top