On 21/08/2014 2:23 p.m., Lawrence Pingree wrote:
> No, I mean they are intentionally blocking with a configured policy,
> its not a bug. :) They have signatures that match Via headers and
> forwarded for headers to determine that it's squid. This is because
> many hackers are using bounces off open squid proxies to launch web
> attacks.
>
That still sounds like a bug. Blocking on squid existence makes as much
sense as blocking all traffic with UA header containing "MSIE" on
grounds that 90% of web attacks come with that agent string.
The content inside those headers is also context specific, signature
matching will not work beyond a simple proxy/maybe-proxy determination
(which does not even determine non-proxy!).
A proposal came up in the IETF a few weeks ago that HTTPS traffic
containing Via header should be blocked on sight by all servers. It got
booted out on these grounds:
* the "bad guys" are not sending Via.
* what Via do exist are being sent by "good guys" who obey the specs but
are othewise literally forced (by law or previous TLS based attacks) to
MITM the HTTPS in order to increase security checking on that traffic
(ie. AV scanning).
Therefore, the existence of Via is actually a sign of *good* health in
the traffic and a useful tool for finding culprits behind the well
behaved proxies.
Rejecting or blocking based on its existence just increases the ratio
of nasty traffic which makes it through. While simultaneously forcing
the "good guys" to become indistinguishable from "bad guys". Only the
"bad guys" get any actual benefit out of the situation.
Basically "via off" is a bad idea, and broken services (intentional or
otherwise) which force it to be used are worse than terrible.
Amos
Received on Thu Aug 21 2014 - 04:38:59 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 21 2014 - 12:00:06 MDT