Re: [squid-users] Re: Squid log details - HTTPS tunnel detection

From: K K <kkadow@dont-contact.us>
Date: Wed, 23 May 2007 16:00:23 -0500

On 5/23/07, Markus Moeller <huaraz@moeller.plus.com> wrote:
> "Henrik Nordstrom" <henrik@henriknordstrom.net> wrote in message
> news:1179939625.31121.48.camel@henriknordstrom.net...
> >Most isn't actually using SSL, so a IDS system looking for odd traffic
> >in CONNECT requests will trap many of them (but not all).

Any chance of implementing basic "Is this CONNECT session really SSL?"
functionality in Squid?

> Correct. But I am specifically interested in the bad guys which use SSL.

I recall some (recent?) research on using Netflow and/or Argus to
identify unusual patterns of traffic flow. Normal HTTP inside of SSL
produces a different pattern of query->response packets than does a
remote access tunnel, this can be detected by old school "traffic
analysis".

Another option is to route SSL through a commercial product which does
true SSL/TLS "interception", terminating the crypto in the analysis
box and then re-establishing a new SSL session to the Internet. This
has *huge* implications for privacy, HIPAA, etc.

I've spoken with Bluecoat, Radware, Checkpoint, and others about
products in this space, but the whole idea gives me the willies.

Kevin
Received on Wed May 23 2007 - 15:02:44 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT