On 07/08/2014 08:17 PM, David Marcos wrote:
> b. HTTP Strict Transport Security (HSTS): Some pages flat-out
> reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure
> aggravates the issue. Is there a way to configure Squid to get around
> HSTS? (Yes, I know this may be a dumb question given how HSTS works,
> but would appreciate any insight.)
HSTS is an active area of research so I do not have final answers for
you, but my current understanding is:
a) HSTS itself is more-or-less compatible with SslBump. If you can
successfully convince an HTTP client to trust the Root certificate used
by Squid, then sites visited by that client will not violate any
standard HSTS rules.
b) Bumping errors unrelated to HSTS may be misinterpreted as
HSTS-related errors because the browser says "I cannot render that site
because of HSTS". What the browser means, in some cases, is that "I do
not trust that site [because there was a bumping problem] and HSTS rules
prevent me from showing you the sites I do not trust". In this
particular case, HSTS is mostly irrelevant. Once you fix the true cause
of distrust and, everything should work.
c) If a browser or browser plugin "pins" a certificate to a site, it
will not trust any other certificate for that site, possibly resulting
in HSTS errors. See item (b) above for why these are not actually HSTS
errors. In this case, there may be no solution -- you cannot force the
browser to unpin the certificate if that pinning was hard-coded.
Corrections welcomed!
HTH,
Alex.
Received on Wed Jul 09 2014 - 17:59:53 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 10 2014 - 12:00:06 MDT