RE: [squid-users] Squid use SSL ALWAYS? from Aaron Gray on 2006-06-28 (squid-users)

From: Aaron Gray <aaronmgray@dont-contact.us>
Date: Wed, 28 Jun 2006 19:21:29 -0700

I have used SSH port forwarding in the past and it was pretty slick. I
remember when it was only supported by the retail SSH not OpenSSH. It may
be supported now.

How can that be used though to connect my outside network to my proxy and
keep it encrypted? The OS being used by the client is WinXP with either IE
or FireFox connecting to Linux w/ squid 2.2 stable.

-----Original Message-----
From: Chris Lightfoot [mailto:chris@sphinx.mythic-beasts.com] On Behalf Of
Chris Lightfoot
Sent: Wednesday, June 28, 2006 4:01 PM
To: Aaron Gray
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid use SSL ALWAYS?

On Wed, Jun 28, 2006 at 11:07:01AM -0700, Aaron Gray wrote:
> I have squid working perfectly as a caching proxy server.
> If I access my squid proxy server from a network that has some kind of
> "sniffing" software, they can see the headers are HTTP headers (even
though
> it is on a weird port) and still identify where your going and read all
the
> plain text HTML.
>
> Is there any way to make it so that when I connect to the squid proxy and
> authenticate (which I require based on my ACL) that it creates a SSL
> connection (or something similar) to where all traffic is encrypted even
if
> the destination page is not a https website? I want to hide the plain
text.

as others have suggested, you can use an SSL tunnel for
this application. You could also use SSH's port forwarding
facilities. However, note that this will not prevent an
attacker with access to the network from discovering that
you are using HTTP -- the pattern and timing of requests
sent and replies received is likely to be quite
characteristic of the protocol. This sort of traffic
analysis will not reveal which web pages you are viewing
(unless your client leaks that information in other ways,
for instance by doing DNS queries for them) but it will
reveal that you're using HTTP, or another similar
protocol.

-- 
``My teacher's face when he worked out what I was doing was a picture. A
  picture of howling existential despair. So no change there, then.''
  (Dominic Fox, on abbreviations)

Received on Wed Jun 28 2006 - 20:21:41 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:02 MDT