RE: [squid-users] https://weather.yahoo.com redirect loop

From: Lawrence Pingree <geekguy_at_geek-guy.com>
Date: Thu, 21 Aug 2014 06:39:49 -0700

Don't kill the messenger :) I agree, but had to remove forwarded for and via or I faced blocking and weirdness with several of the services I use. I won't name names cause I don't really want to pursue the debate.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Wednesday, August 20, 2014 9:39 PM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] https://weather.yahoo.com redirect loop

On 21/08/2014 2:23 p.m., Lawrence Pingree wrote:
> No, I mean they are intentionally blocking with a configured policy,
> its not a bug. :) They have signatures that match Via headers and
> forwarded for headers to determine that it's squid. This is because
> many hackers are using bounces off open squid proxies to launch web
> attacks.
>

That still sounds like a bug. Blocking on squid existence makes as much sense as blocking all traffic with UA header containing "MSIE" on grounds that 90% of web attacks come with that agent string.
The content inside those headers is also context specific, signature matching will not work beyond a simple proxy/maybe-proxy determination (which does not even determine non-proxy!).

A proposal came up in the IETF a few weeks ago that HTTPS traffic containing Via header should be blocked on sight by all servers. It got booted out on these grounds:

* the "bad guys" are not sending Via.

* what Via do exist are being sent by "good guys" who obey the specs but are othewise literally forced (by law or previous TLS based attacks) to MITM the HTTPS in order to increase security checking on that traffic (ie. AV scanning).

Therefore, the existence of Via is actually a sign of *good* health in the traffic and a useful tool for finding culprits behind the well behaved proxies.
 Rejecting or blocking based on its existence just increases the ratio of nasty traffic which makes it through. While simultaneously forcing the "good guys" to become indistinguishable from "bad guys". Only the "bad guys" get any actual benefit out of the situation.

Basically "via off" is a bad idea, and broken services (intentional or
otherwise) which force it to be used are worse than terrible.

Amos
Received on Thu Aug 21 2014 - 13:40:25 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 21 2014 - 12:00:06 MDT