RE: [squid-users] Squid on transparent proxy for 443 request from Amos Jeffries on 2009-04-26 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 27 Apr 2009 12:42:45 +1200 (NZST)

> Oh I see,
> I won't bother then, was just for a experience.
> But anyway, since I'm only passing traffic from 80 through squid, I want
> to
> add 443 traffic also.
> What aspects do I have to concerns about this, on how to active
> transparent
> mode for 443?

Concerns?
1) transparent interception == man-in-middle attack.
2) private details of clients are opened to you and anyone who gets
access to the middle machine.
3) clients may be made aware by the security systems involved that you
are attacking them.

The only semi-legitimate arguments towards doing it in the first place is
for anti-virus scanning etc. Which adequate server or client AV systems
make useless anyway. All other control measures are human rights
violations of privacy, which is illegal in most parts of the world.

Amos

>
>> -----Original Message-----
>> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
>> Sent: domingo, 26 de Abril de 2009 1:56
>> To: Jorge Bastos
>> Cc: squid-users_at_squid-cache.org
>> Subject: Re: [squid-users] Squid on transparent proxy for 443 request
>>
>> Jorge Bastos wrote:
>> > Hi there,
>> > What are the concerns that I need to have to make squid act as a
>> transrent
>> > proxy on port 443?
>> > I need to catch the data that is being sent from a website that works
>> under
>> > https, is it possible? Data
>> >
>> > Right now I only use it for standard port 80.
>> >
>>
>> Not possible. HTTPS guarantees the client can see 100% of the machines
>> for itself to the source.
>>
>> One user has recently pointed out that redirecting HTTPS URL's to a
>> local domain reverse-proxied by Squid might work though. The client
>> believes and accepts Squid credentials as its proper destination site
>> and Squid handles decryption->re-encryption going HTTPS to the remote
>> site.
>>
>> That is very similar to how SSLBump works with CONNECT requests in 3.1.
>> But may get past the invalid certificate issues.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>> Current Beta Squid 3.1.0.7
>
>
Received on Sun Apr 26 2009 - 23:42:42 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 27 2009 - 12:00:02 MDT