[squid-users] Re: SSL Traffic Monitoring

From: Peter Arnold <arnoldpj@dont-contact.us>
Date: Thu, 05 Aug 2004 20:34:54 +1000

> > I am looking to start caching SSL traffic, so I can make the content conform
> > to company HR policies.

> > There are commercial products that do this.

MS's ISA apparently does... Where I work is seriously considering moving to this.

> > I was wondering what the Squid crowd was doing for this issue?

For us it's becoming an issue as we need to filter email traffic for viruses. There was a recent episode where the desktop AV provider had not released an update for an active virus. It was getting blocked at the email GW by a different AV filter but webmail was a very real risk.

> Generally HTTPS traffic can not be cached due to the encryption.

I'm more interested in filtering for ever increasing security reasons.

> Technically it is possible to implement a decrypting proxy using spoofed server certificates issued by the proxy, but this has not
> yet been implemented in Squid. The technical drawbacks from doing this is

Is this the case even with the ssl patch for squid 2.5? I've been trying to get something to work for a while now but haven't been able to nut it out. I was thinking it might work to reverse proxy and sslproxy a list of known ssl email sites but I've not been able to find much info on this particular scenario..... now I know why.

> - End-to-end is violated, making it impossible to use/access sites requiring client side SSL certificates for authentication.

Could squid be configured to ACL what does and doesn't get decrypted/encrypted?

> - User no longer is given the choice of trusting or denying access to sites not having a valid certificate. The company policy set > in the proxy applies to all.

I can probably live with that. Our users wouldn't care. Maybe an option in config could cover this?

> - User no longer can inspect the servers certificate to determine if the site is trustworthy or not.

See above.

> - Not yet implemented in Squid, so to do this it first needs to be implemented in the Squid code.

> If you want to discuss how this may be implemented in Squid please contact [EMAIL PROTECTED]

> Regards
> Henrik

Cheers
Peter Arnold
Received on Thu Aug 05 2004 - 04:38:04 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Sep 01 2004 - 12:00:01 MDT