[squid-dev] SSL-BUMP, Encryption and coding licensing.

Eliezer Croitoru eliezer at ngtech.co.il
Thu Jul 12 22:36:29 UTC 2018


Hey Dev list,

 

Since StoreID and SSL-BUMP are in production I found myself asking:

What is proper?

Does a specific license means something?

Do I want to publish software or code with closed sources or open sources?

What is worth encryption or/and securing?

 

To understand why I got to these question I must clear something.

I don't think that every piece of code should be seen by just anybody.

I believe that there are good reasons out there to encrypt an  end-to-end
connection with whatever means necessary.

Before I delved into my StoreID  research I wrote a service that was caching
couple very big data providers(audio, video, DB and many other types).

It took me couple years to actually sit down for R&D so StoreID would be
publicly available.

One of the reasons for this is that once it's out in the open many will try
to use and maybe abuse it.

For some StoreID and caching is there just there to resolve a bandwidth
consumption or overload issue.

For others StoreID is heaven of the hackers, crackers and phishers.

 

At the time when I published my "Coordinator" R&D which used two Squid
instances for de-duplication there was a crucial issue it was targeting.

Many companies left their clients and users sensitive data such as login and
other details in plain text.

YouTube, Facebook and couple other companies had a CDN network that every
medium level hacker or phisher could just hijack without the client
knowledge.

I do believe that Google statistics can be used as power but only in the
right hands.

The funniest thing is that Google ads for some reason offers me ads for
things that I don't really need and I have no interest in.

But this is their business and I can open some sources to show weaknesses in
couple systems around the globe but..

I want my work to help others earn their living and to not snatch food from
a table worthy of it.

 

Due to the above I have looked at the BSD, GNU and APACHE licenses which are
kind of famous in the Open-Source world.

I noticed that I mostly want to publish source code under the BSD
license(3-clause) but I do want that the GPL type licenses will still exist.

I have seen(and correct me if I'm wrong) that there are couple types of BSD
software:

-          The Good

-          The Bad

-          The Weird

-          The Ugly

-          .

 

Giving someone the joy and happiness of earning what he deserves almost
never comes from "Google/Bing/Others foo".

The actual R&D and the stage of understanding what the code does and means
is what mainly gives joy or .. pain.

Satisfaction is another subject since I have seen pieces of code like "rm
-rf /" in the middle of a Makefile script.

Was it a typo, maybe malicious?(please share your mind)

 

I understand that we all get the opportunity for an error but it doesn't
justify doing and meaning bad things.

Today I am happy with StoreID and SSL-BUMP since I believe that these who
invested time and money have a purpose, a good one.

I have code that I wrote which I am protecting and holding the publication
since I care if someone will get hurt by it.

 

I want developers and admins to write good eCAP, ICAP and other pieces of
software related and un-related to Squid-Cache.

Due to this I decided that I will not publish specific pieces of code, so
these who invested time and money will be able to enjoy from their efforts.

 

I believe that a king worth his name not by having a good brain but by
having a good heart. brain is a blessing.

When a king sits in a court with Judges I believe he should respond when all
the sitting Judges and representatives of both sides finished presenting and
interrogating.

First the representatives should tell their story then the Judges should
react with questions and maybe even interrogation(not only the
representatives have this duty).

Then and only then and after both sides of the tables finished their actions
the time for the king words need to come out.

The king is allowed to do whatever he wants but he has the duty of doing and
making right.

A true king doesn't take control of a domain and do whatever he wants with
it.

A true king receives the domain by being worthy of it.

Sometimes I see code I can write in 5 minutes but when I see that the writer
posted a license I hold my breath and ask myself if it's right to compose my
own piece.

When I see encrypted and protected code I hold myself but. I do not like
con's!

One of the weird things I have seen is a JS sending pieces of a file bit by
bit from the background of the browser into a specific destination.

The browser can sit running a day sending data and while the client see no
issue with it he actually feeds more and more data to the other side.

This is where I got to a decision!

I like SSL-BUMP!!!

The Squid-Cache project might look like an old piece of software that
doesn't do threading or couple other things but it's a great piece of code.

 

I have a ready to use 2018 current YouTube and google video caching and
filtering service but.

I will not publish the sources yet.

 

I would like to say thank you to this great Development team of the project
that since V3.2 changed attitude from "caching as much as want" to "cache
what's worthy of it".

I believe that many admins now understands more about IT security due to
this amazing project.

 

I would like to hear from you what do you think is not worth publishing.

Let say I have a code that can take one of google nodes, what should I do?

I can write a code that meets a SPEC\blueprint but is licensed, would it be
OK to write a software that does the same but with my original code and
license?

What is the right way to tell a sysadmin or a webmaster that his site can be
compromised?
Would hacking the site "symbolically" ie add some text into the site is OK?
.. not talking about tearing apart the site, just adding a tiny JS popup
like the cookie warning that many sites show?

 

Thanks,

Eliezer

 

----

Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20180713/fb65855b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 11324 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20180713/fb65855b/attachment-0001.png>


More information about the squid-dev mailing list