Re: [squid-users] Proxy https

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 24 Apr 2009 23:00:46 +1200

Stun Box wrote:
>> Not the way you want to do it.
>>
>> You can happily do steps 1->2, but as soon as the browser starts the HTTPS
>> connection you loose all control over what happens inside the encrypted
>> tunnel.
>>
>> You cannot configure browsers with WPAD/PAC to connect to the proxy over SSL
>> since none of the common browsers have any kind of SSL-proxy connection
>> features.
>>
>> You cannot fake being https://example.com since the browser and HTTPS
>> security is created expressly to detect and alert the user to such
>> man-in-middle attacks.
>
> I know that's impossible to fake a domain name like I described...
> Sorry, I have just presented the main idea.
> In fact, it will need a domain name modification, such as the captive
> portal "talweg" does http://google.fr -> https://u-google--my.talweg/
> and it uses wildcard ssl. But the inconvenience of talweg, that is
> required the installation of its certificat and it does not permit
> accounting.
> Ok, so... I guess squid do not do that. Thanks for answering.

I didn't think of doing it as an accelerated local site.
Yes Squid should be capable of doing that much.
  see https_port and url_rewrite_program

Amos

>
>> You cannot use the SSLBump feature of 3.1 without causing large visitor
>> annoyance as the alerts on every site they visit (even unencrypted ones!)
>> shows web attacks taking place.
>>
>> Basically, with the captive portal approach you are forced to accept any
>> kind of internal inputs. The visitor machine is always correct, you have
>> zero control over their machine. All you can do is map insecure internal
>> connections to secure _external_ protocols on the Internet side of the
>> portal. In some cases respond with an informative message saying please do X
>> instead of Y and hope the visitor reads it.
>>
>> Unless you are in a very high-security environment this should not be an
>> issue. If you are in a high security environment WTF are you doing running a
>> captive portal instead of a blanket security firewall?
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>> Current Beta Squid 3.1.0.7
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Fri Apr 24 2009 - 11:00:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 24 2009 - 12:00:03 MDT