Windows Filtering Platform to filter HTTPS from managed code

Question

I want to develop a host-based firewall for Windows mainly to filter URLs starting with HTTPS ! I know that Microsoft is presenting WFP as a substitution to the deprecated old techniques such as firewall/filter hooks, NDIS, TDI, WSA and Winsock 2 (LSP). But WFP does not currently support filters with hostname or URL. Also, WFP is only in C/C++ and there is no available C# wrappers in .NET.

I tried @basil 's WinDivert demo app webfilter which parses packets in outbound traffic for IPv4 on TCP port 80 (default HTTP), reset server connection (TCP RST) and send a HTML response to the client (browser) followed by a TCP FIN in case the URL matches any of the blacklisted entries given in a text file as command line argument and re inject them otherwise...

 handle = WinDivertOpen(
        "outbound && "              // Outbound traffic only
        "ip && "                    // Only IPv4 supported
        "tcp.DstPort == 80 && "     // HTTP (port 80) only
        "tcp.PayloadLength > 0",    // TCP data packets only
        WINDIVERT_LAYER_NETWORK, priority, 0
    );

My question is : can I change this code to support HTTPS (change port to default 443) and also IPv6 ? If so, I'm willing to write a P\Invoke wrapper class to call it from managed C# code.

Extra : This solution can be bypassed using SSH tunneling, is there another way to bypass it ?

Answer 1

HTTPS uses encryption to stop third parties intercepting and modifying the HTTP stream. So the short answer is "no".

In principle you could use WinDivert to launch a man-in-the-middle attack to gain access to the unencrypted HTTP stream. However, this will be detected, and the web browser will sternly warn the user that they are under attack and not to continue.