How are full URLs exposed when they are encrypted by HTTPS?

The article states that:

a connection was discovered to a web filter app built by Conor [Solutions]

Given that it was a web filter, and given that it was able to log URLs, we can infer that this was a Man-in-the-Middle (MITM) proxy which decrypted the requests, filtered based on the unencrypted request, and then re-encrypted and forwarded the request to the actual destination. And unfortunately, it logged these requests, and that log got compromised, thus the leak.

This sort of MITM would require a CA certificate be installed on the client so that the proxy could present certificates for each web site visited. Presumably Conor Solutions had some way to roll this change out to customers; perhaps there was "filtering software" for customers opting into having web filtering as a package.


Below is a screenshot of an image search at the time of this discussion. The source image from the OP is referenced in numerous websites, and appears to be the subject of discussion due to the image content.

The original image appears to be from a vpnMentor blog post: https://www.vpnmentor.com/blog/report-conor-leak/

Perform an image search

Looking though https://crt.sh/?q=xvideos.com, it doesn't seem that any gov has issued a certificate to xvideos.com.

Considering the JSON log source (see image for log location), though redacted, my bet is a user agent plugin/extension logging all activity. E.g., a parental control/marketing solution. (Why would there be a "_score" data element?!?)

A sophisticated break/inspect proxy is less likely, due to the original reporting from vpnMentor indicating TLS was not used to protect the "database" of user info. A MITM (break/inspect) proxy would be observed via the user agent (browser), and poor hygiene of the solution would likely result in widespread detection by the users.

Relative URLs are not indicated in DNS lookups, or TLS SNI, regardless of encryption.

Tags:

Logging

Http

Tls