AdGuard Assistant missing on *all* HTTPS-sites

Discussion in 'Technical Support (AdGuard for Windows)' started by Larry Laffer, Nov 24, 2015.

  1. Larry Laffer

    Larry Laffer New Member

    Joined:
    Nov 22, 2015
    Messages:
    36
    Hi,

    when opening any secure site (HTTPS) on none of them the AA appears. This does not depend on the sites content as for instance a diff check of http://www.wetter.de (AA available) vs. https://www.wetter.de (AA unavailable) shows.
    Thats a PITA bc it requires a lot of time and programming/scripting knowledge to filter out some elements on HTTPS sites.

    AG 5.10.2051.6368, AA 3.0.80 (and older), HTTPS scanning enabled, requested sites not in exception list

    Please fix.

    Thank you

    P.S. same behavior /w AG 6.0.103.580 and AA 3.0.80
     
  2. Blaz

    Blaz Moderator & Translator Staff Member Moderator

    Joined:
    Dec 21, 2014
    Messages:
    9,938
    Which browser do you use?
     
  3. Larry Laffer

    Larry Laffer New Member

    Joined:
    Nov 22, 2015
    Messages:
    36
    FF 42, IE8, Icewaesel 24.6.0, Safari of iOS 5.1.1. - it's all the same.
    No matter if I use direct filtering (intended mode of AG: Browser and AG on the same machine) or do filter a proxy used by iOS and Win and lx.
     
  4. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    4,215
    What Windows OS are you using?

    As for IE8, I don't believe the Assistant is supported there anymore due to security concerns. Adguard for iOS also doesn't support HTTPS filtering - I'm not sure, but I don't believe it's possible to support HTTPS filtering on iOS at all.

    Iceweasel? That's Debian's de-branded Firefox release. There was an old port to Windows several years ago, but it hasn't been updated as far as I can tell. Also it won't be on Adguard's default app filtering list, so you'd have to manually add it. If you're using Debian for Iceweasel you'll have to use the Adguard for Firefox browser extension.
     
  5. Larry Laffer

    Larry Laffer New Member

    Joined:
    Nov 22, 2015
    Messages:
    36
    I'm a bit surprised you didn't get the idea of "AA is shown on sites accessed by HTTP but not on sites accessed by HTTPS". We talk about the exact same site accessed from the exact same machine by either http://... or https://...
    So if it works for HTTP I do not see why it was the machine/browser if it doesn't work for HTTPS.

    To answer your questions:
    The machines are XPSP3 (AG and FF on same machine) and 2k3SP2 as proxy server (AG and proxy software on same machine).

    As for IE8 I didn't test today but AFAIR it used to work back then.

    I am not using AG4iOS but above mentioned proxy (AG4iOS does not support original iPad :( ). So yes, HTTPS is in fact filtered by AG (I had to import the cert to make it work).

    Iceweasel on Debian. And it's filtered by AG (above mentioned proxy).


    But anyway: Just make it work for HTTPS sites in FF42, please, and it'll magicall work for the other systems too, I'm sure.
     
    Last edited by a moderator: Nov 24, 2015
  6. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    Follow up on our remote access session.


    Issue #1: Windows XP + Adguard v5
    The problem was that you've suppressed requests to "injections.adguard.com". Because of that Adguard was not filtering these requests at all, hence AA was not injected to the webpages. Resolved with installing Adguard v6 which uses a better way with "local.adguard.com".

    Issue #2: Windows 2003 + Adguard v6 + FreeProxy
    The problem is that Windows 2003 does not support SHA256 hashed certificates.

    1. Most of the root authorities nowadays are sha256 hashed.
    2. Adguard uses WinApi methods for certificates validation.
    3. Because lack of sha256 support, Adguard considered most of SSL certificates invalid. If Adguard fails to verify certificate it stops SSL filtering for that domain.
    4. That is also the reason why most of https websites were not working in IE.

    More information about sha256 support in older windows versions:
    http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
     
    Last edited by a moderator: Nov 25, 2015
  7. Larry Laffer

    Larry Laffer New Member

    Joined:
    Nov 22, 2015
    Messages:
    36
    Pls correct/delete me if I'm wrong: I see the issue in AG having 'remembered' it's own cert as invalid*.
    So as a feature request: Re-validate 'invalid' certs every once in a while. You even can do this in the background (but use a checkbox in config to enable backround check (enabled by default) so paranoid ppl like me don't suspect you to leak info).
    Why? Same issue might happen after MITM attacks (or mandatory/transparent proxies), invalidating sites certs 'forever' is IMHO counterproductive (especially your own!! ;) ).


    * I presented AG a false cert by redirecting injections.adguard.com (using DNS/hosts) to stunnel.org's stunnel.exe on localhost which presents no valid cert

    ---------- Post added at 09:31 PM ---------- Previous post was at 08:20 PM ----------

    Why do you save that info at all? What is the actual performance gain (in user experience, a.k.a. ms delay) of using your db to not check a presented cert* vs. requesting a cert and (re-)checking it?

    * thinking a cert was invalid bc it had been invalid once in the past
     
  8. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    We of course re-validate certs. Cache is flushed on every Adguard run.

    The cert itself can't be valid, it's also a pair "domain" - "certificate".

    Performance gain is huge. Verifying cert involves sending a web request to a OCSP server and that can take much time.
     
  9. iScriptShift

    iScriptShift New Member

    Joined:
    Sep 13, 2015
    Messages:
    30
    *Also i would like to say this is happening to me too. Sites like yahoo and google, AA doesn't come up (mainly after this last ag update). Things like ebay and such is sweet.

    (btw andrey this issue is on my laptop on which I still have the extensions enabled and wfp disabled. not on my desktop pc which we had a remote session on!)
     
  10. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    Are the ads blocked at that time?
    Have you tried cleaning browser cache?
     
  11. iScriptShift

    iScriptShift New Member

    Joined:
    Sep 13, 2015
    Messages:
    30
    Ads are blocked. I never keep browser cache. (Auto deletes on exit). Still happening as of today.

    Like as on Wikipedia, it isn't coming up since it's "https://...." here at adguard forum it's not https, assistant is here.
     
  12. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    Weird, can I take a look through remote access?
     
  13. mysteriously

    mysteriously Beta Tester & Translator

    Joined:
    May 4, 2014
    Messages:
    508
    iScriptShift@: Hmm, so:
    1) Ads are blocked on both HTTP and HTTPS websites
    2) The assistant does not appear on HTTPS websites and works fine on HTTPS
    3) Did you notice any other weird behavior like blocked ads but not removed ads placeholders, empty boxes in places of ads or just text ads?
     
  14. iScriptShift

    iScriptShift New Member

    Joined:
    Sep 13, 2015
    Messages:
    30
    @Avatar - Well I don't think I have time for more remote sessions until months now. This Thursday i'm leaving for a 40+ days holidays for Christmas and stuff so I won't be able to use my PC. I'll just have ipads and such posting here.

    @Buuuuuuuuuuu190 - 1) Yes, ads are blocked though.
    2) The assistant DOES NOT appear on HTTPS, but APPEARS on HTTP. :)
    3) I haven't noticed anything else than that lately.
     
  15. mysteriously

    mysteriously Beta Tester & Translator

    Joined:
    May 4, 2014
    Messages:
    508
    So it happens for me as well. All I need to do is to leave browser in background and just do other tasks like playing any Steam game. Then after some time the assistant is gone.
    Sometimes I also see unfixed blank space in place where ad was removed.
     
  16. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    Wow, so steam is breaking injecting CSS/JS on HTTPS websites?

    How is that possible?:) Mind if I take a look through remote access?
     
  17. mysteriously

    mysteriously Beta Tester & Translator

    Joined:
    May 4, 2014
    Messages:
    508
    No, I meant it breaks 'by itself', it just needs a time :)
    Sure, if you are patient enough to do it on slow netbook and with such sick configuration as mine :)
    Team Viewer 10 or 11?
     
  18. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    TV 10
     
  19. mysteriously

    mysteriously Beta Tester & Translator

    Joined:
    May 4, 2014
    Messages:
    508
    On Youtube sometimes it looks like this

    [​IMG]

    The loading circle was spinning because I already clicked on 1st video and then took the screenshoot.
    I won't touch anything when the issue occur next time (will not let the PC go to sleep mode etc.)
     
  20. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,144
    Would be great, I'd like to see it with my own eyes