Re: [squid-users] Proxy https from Amos Jeffries on 2009-04-23 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 24 Apr 2009 13:14:54 +1200

Stun Box wrote:
> Hello,
>
> I have a wireless network which gives visitor access through a captive portal.
> I am using coovachilli, but it does not ensure protection. (Open
> Association & Http)
> I am looking for a proxy which can receive a http request
> (http://www.google.fr), redirect to https protocol
> (https://www.google.fr), do the http request on the internet side,
> then get back the web page asked through the https connection to the
> client.
>
> In a scheme, it looks like that :
>
> User => http request => Proxy
> User <= https redirect <= Proxy
> User => https request => Proxy => http request => website
> User <= https response <= Proxy <= http response <= website
>
> Is that possible with squid ?
>

Not the way you want to do it.

You can happily do steps 1->2, but as soon as the browser starts the
HTTPS connection you loose all control over what happens inside the
encrypted tunnel.

You cannot configure browsers with WPAD/PAC to connect to the proxy over
SSL since none of the common browsers have any kind of SSL-proxy
connection features.

You cannot fake being https://example.com since the browser and HTTPS
security is created expressly to detect and alert the user to such
man-in-middle attacks.

You cannot use the SSLBump feature of 3.1 without causing large visitor
annoyance as the alerts on every site they visit (even unencrypted
ones!) shows web attacks taking place.

Basically, with the captive portal approach you are forced to accept any
kind of internal inputs. The visitor machine is always correct, you have
zero control over their machine. All you can do is map insecure
internal connections to secure _external_ protocols on the Internet side
of the portal. In some cases respond with an informative message saying
please do X instead of Y and hope the visitor reads it.

Unless you are in a very high-security environment this should not be an
issue. If you are in a high security environment WTF are you doing
running a captive portal instead of a blanket security firewall?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7

Received on Fri Apr 24 2009 - 01:14:49 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 24 2009 - 12:00:03 MDT