On Wed, 25 May 2011 16:16:54 +0000, Ming Fu wrote:
>> >> It is too late to alter the client certificate. By the time a
>> server
>> >> connection is opened Squid may have already served replies out of
>> cache
>> >> to the client.
>> >
>> > I am a bit surprised. Can sslbump make some https content
>> cacheable?
>>
>> Why surprised? ssl-bumps' purpose is to remove the SSL layer on
>> arriving
>> traffic.
>>
>> The data inside is just HTTP and gets handled same as any other.
>> Caching, filtering, alterations. Anything goes once the security
>> layer
>> is erased.
>>
>
> This does make me worried. For a web developer writing an https only
> site,
> He wouldn't bother with cache control headers the same as when he is
> develop
> http site. The https itself implies private to sharing. I would
> expect sslbump
> perverse this privacy in dealing with https traffic.
>
>
> Ming
Sadly this is not new. Same problem happens in HTTP. Some webmaster
jumps on "no-cache" or "no-store" instead of "private". Sets it site
wide instead of just the personal pages. Proxy admin see a site forcing
constant reloads on static images that don't ever change, set a
site-wide ignore-nocache. Everything goes sour.
All SSL does is verify that the other endpoint is trusted or not by the
particular client. This is why ssl-bump feature only works in LAN
situations where the proxy CA can be installed on worker PCs.
Reverse-proxy have always done the mirror image of bump, where the
website cert can be installed on each edge proxy https_port and signed
by a major CA that everybody trusts. LAN which want to bump have always
been able to setup their own reverse-proxy with DNS records and MITM the
HTTPS.
Amos
Received on Thu May 26 2011 - 02:42:54 MDT
This archive was generated by hypermail 2.2.0 : Thu May 26 2011 - 12:00:03 MDT