[Hmmm, word wrap please!]
On Tue, Dec 15, 1998 at 10:00:33AM +1000, Graham Maltby wrote:
> What are the implications (security or other) of removing the restriction on what port squid will make SSL connections.
>
> We have a particular web site that is using port 2000 for thier SSL server, "to improve security". To allow this through the proxy i've added 2000 to the SSL_ports.
> Can someone explain the need for this ACL (SSL_ports)?
>
SSL_ports is necessary to stop Squid being used as a generic "hole" through
which nasty users can tunnel out of your nice firewall-protected network.
As HTTPS involves end-to-end encryption exchanges, the proxy in the middle
cannot be involved in crypt-negotiations - so it has to just act as a
tunnel. As such this is a "security hole" as anything could be done through
that tunnel - instead of the HTTPS traffic we were expecting.
All Web proxies suffer from this problem.
Basically SSL_ports limits the ports on which this "hacking" could work - it
really isn't a fix tho... :-(
-- Cheers Jason Haar Unix/Network Specialist, Trimble NZ Phone: +64 3 3391 377 Fax: +64 3 3391 417Received on Mon Dec 14 1998 - 21:23:28 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:39 MST