On 02/01/2013 09:08 AM, Marcus Kool wrote:
> On 02/01/2013 01:48 PM, Alex Rousskov wrote:
>> Or are you thinking about sending SSL Hello messages to ICAP and eCAP
>> services? If Peek and Splice succeeds, that will be technically possible
>> as well, but will require more work and would be a separate project.
> I was thinking about this: when Squid peeks at the data and finds that it
> is non-SSL, send it to the ICAP server to ask its opinion.
> This is obviously more work, but also extremely useful, since a
> content filter is only useful if it is able to inspect _all_ content,
> and consequently the feature of Squid to connect to content filters
> is only useful if Squid sends _all_ data to the content filter for
> analysis.
>
> Perhaps needless to say: virusses like to communicate in non-standard
> ways to Squid would be considered much more secure if it sends _all_ data
> to an ICAP server for analysis.
I agree with the general "everything we proxy should be available for
analysis" principle. Getting to that point would be difficult because
protocols and APIs such as ICAP, eCAP, external ACL helper, and
url_rewriter were not designed to deal with "everything". They need to
be tweaked or extended to work with non-HTTP traffic. We already do that
in some cases (e.g., FTP) but more is needed to handle "everything".
Cheers,
Alex.
Received on Fri Feb 01 2013 - 17:00:37 MST
This archive was generated by hypermail 2.2.0 : Mon Feb 04 2013 - 12:00:15 MST