Re: [squid-users] How Bad is CONNECT and Should I Prevent It?

From: K K <kkadow@dont-contact.us>
Date: Tue, 19 Jun 2007 13:59:19 -0500

On 6/19/07, Jakob Curdes <jc@info-systems.de> wrote:
> Vadim Pushkin schrieb:
> > Has anyone on this list ever deployed a third-party tool to do what JC
> > suggests? I.e. block or limit file-tyransfers, inspect https traffic
> > so as to block/allow it based on what it is doing?

Yes. There are many commercial products which will inherently do
simple inspection on the HTTPS protocol to deny CONNECT if the client
and server aren't at least pretending to talk SSL/TLS.

Commercial products which actually do man in the middle (MITM) against
the SSL so they can inspect the data exchange are more expensive.

> Restrict access to listed sites yes, third party no. Somebody in another
> reply seemed to have experiance with a commercial app, I don't.

I have experience with a couple of different commercial products.
They work, but the privacy implications are frightening.
Received on Tue Jun 19 2007 - 12:59:25 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT