Re: Hello from Mozilla

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Collins wrote:

>>> P.S. So every time that I set up squid on my machine to test something,
>>> it always denies access to me out of the box. I finally figured out
>>> it's because you don't allow localhost connections by default. Should
>>> you be adding a line like
>>>
>>> acl localnet src localhost
>>>
>>> to squid.conf? Is there a reason why you're allowing 10.0.0.1, etc. to
>>> connect, but not localhost?
>
> I'd be open to us changing this. It is a [small] risk for a bastion host
> to allow connections from itself because a different account being
> compromised then allows access via the proxy. I have no evidence to make
> an assertion about the frequency of deployments on a bastion host vs
> behind one, and so the only argument I have for preserving it is 'secure
> as possible by default', which while a good argument isn't the end of
> the discussion.

Your argument is subject to reductio ad absurdam: if you want "secure
as possible by default", then the default config shold not allow proxied
access from *any host at all*. Any host other than localhost should be
*less* trusted than localhost.

I would argue that enabling only localhost for the default "forward
proxy" configuration is a sane default: people configuring things like
bastions ought not to expect to use out-of-the box configs without
review / tweakage, while people using Squid as a personal cache ought
not to have to do such tweaks.

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver_at_palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKVARQ+gerLs4ltQ4RAhlJAKDWsjrr/7IT45r4IPXsXt5Xyfa0zwCffrfr
hLbI2vMOIWeHA09Mf+Kdg2k=
=bVwt
-----END PGP SIGNATURE-----
Received on Wed Jul 08 2009 - 03:05:03 MDT