Re: [squid-users] Squid 3.2.1 is available

From: Eliezer Croitoru <>
Date: Sat, 18 Aug 2012 20:58:01 +0300

> The browser is 100% unaware of the proxies existence and the page being
> fetched from a different server than its TCP connection was sent to.
> All the IP level security the browser uses to check same-origin is
> bypassed silently. All the DNSSEC, IP-based firewall rules, etc which
> the LAN administrator may have setup for that client to make use of are
> also bypassed silently unless replicated in proxy config.
> I'm not sure which of the two is more serious, but leaning slightly
> towards the firewall bypasses being worse nowdays since browsers have
> improved their checking a bit too along the same lines as the squid checks.
> It is possible for a website JS (ie advert) to fetch a malicious page
> using a benign TCP connection to a safe IP address and a Host: with
> malicious server name. The result corrupts the browser cache with a
> phishing-style page and gives open access to any private details
> (credentials, cookies, local browser state) to the malicious website
> server.
> The only real solution is to avoid using an interception or transparent
> proxy completely (or use it only to bounce clients to a "how to
> configure your browser" page as per the ZeroConf wiki example). But the
> 3.2 changes raise the difficulty for attackers and go a long way towards
> avoiding collateral damage to the rest of the LAN clients from such
> attacks.
> Amos
Thanks Amos,

I wasn't sure that I got it right but it seems like my logic was right
after all.

But if anyone do use firewall + intercept proxy he will most likely will
manage the proxy acls to match the local security policy else then the


Eliezer Croitoru
IT consulting for Nonprofit organizations
eliezer <at>
Received on Sat Aug 18 2012 - 17:58:21 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 19 2012 - 12:00:03 MDT