RE: RES: [squid-users] block https requests from Dean Weimer on 2008-12-17 (squid-users)

From: Dean Weimer <dweimer_at_orscheln.com>
Date: Wed, 17 Dec 2008 11:05:30 -0600

The host is still known from the request header, and is not encrypted in https, only the data in the body of the request and reply is encrypted, if the headers were encrypted a proxy would never be able to direct the request to the origin server.

Here is a direct copy from a raw TCP data capture of a login to my home web server.
CONNECT www.myhostinghome.net:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Proxy-Connection: keep-alive
Host: www.myhostinghome.net
HTTP/1.0 200 Connection established
...........II-....`.9..$........Q6z...j...D ..q...........
....@.8b.....7O"F.D.
.......9.8.......5.........E.D.3.2.........A...../.........
.....
[...snip...]

This is the reason you won't find any forms on a decent secure site using the GET method as the data submitted will still be visible to anyone in the middle.

Thanks,
     Dean Weimer
     Network Administrator
     Orscheln Management Co

-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar_at_fantomas.sk]
Sent: Wednesday, December 17, 2008 11:02 AM
To: squid-users_at_squid-cache.org
Subject: Re: RES: [squid-users] block https requests

On 16.12.08 13:51, Ricardo Augusto de Souza wrote:
> I AM used to block sites using:
>
>
> acl bad_sites dstdomain "/etc/squid/bad_sites.txt"
>
> http_access deny bad_sites
>
>
>
> With this my users cannot access all domains listed in
> "/etc/squid/bad_sites.txt" using http but they can access using https.

squid does not see what's in https requests, they are enctypted. That's that
the "s" means (secure): only client and server know what's inside, nobody
other.

you can disable CONNECT method to those hots. You may need to disable
CONNECT to IP addresses.

Or you may do an MITM attack and use sslbump (which means, https won't be
secure anymore for your clients). Clients will detect it - they will see
certificate mismatch (since you won't be able to provide anyone's
certificate but yours)

> How do I solve this?

disable https?

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

Received on Wed Dec 17 2008 - 17:05:49 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 19 2008 - 12:00:02 MST