Re: [squid-users] Skype SSL is incompatible with OpenSSL

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Wed, 07 May 2014 10:40:28 -0300

On 05/07/2014 06:44 AM, Pawel Mojski wrote:
> W dniu 2014-05-07 04:52, Jay Jimenez pisze:
>> Hi Marcus and Amos,
>
> [...]
>
>> I'm wondering if there's someone who successfully allowed Skype to
>> fake CONNECT to squid (I'm referring to interception not explicit
>> proxying). I cannot fully implement https interception until I find a
>> solution to properly intercept Skype.
>>
>> Many thanks in advance for all the help.
>
> It is very difficult to implement it on squid, but, theoretically you
> may bypass any sslbumping to remote-side which intruduce self with this
> certificate chain:
> Certificate chain
> 0 s:/CN=*.gateway.messenger.live.com
> i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
> 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=MSIT Machine Auth CA 2
> i:/CN=Microsoft Internet Authority
> 2 s:/CN=Microsoft Internet Authority
> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

There is a misunderstanding here.
Skype does not use SSL, it only uses port 443 which is commonly used by SSL,
but skype knows that there is a proxy and uses the CONNECT method to get a tunnel from Squid.
Squid (without SSL-bump) than simply "tunnels" (i.e. passes everything from the client to the server and back).
But _with_ ssl-bump Squid assumes that the CONNECT is for a SSL connection and this assumption is wrong.

> You can *try* to prepare own external acl helper to check it.
> Skype transmission by desing is ssl over 443 tcp port, but if skype
> detects that remote server introducing with wrong certificate, then just
> drop connection.
> We can't even check if transmision is really http over ssl, it might be
> anything.
>
> But, the most important question is why you want to do it?
> Leaving skype goes through you are opening your local network for really
> don't know what. It can be any transmission, file sharing, remote
> desktop, you name it. So, all your security mechanisms you can throw
> away, useless with open skype.

This is entirely correct. Skype has too many features that bypass security measures and the worst is that Skype has an API which any 3rd party program (including a virus) can use.
So think twice before allowing Skype.

Marcus

> Regards;
> Pawel Mojski
>
>
>
Received on Wed May 07 2014 - 13:40:33 MDT

This archive was generated by hypermail 2.2.0 : Wed May 07 2014 - 12:00:04 MDT