[squid-dev] request for change handling hostStrictVerify

Alex Rousskov rousskov at measurement-factory.com
Fri Oct 29 22:09:31 UTC 2021


On 10/26/21 5:46 PM, kk at sudo-i.net wrote:

> - Squid enforces the Client to use SNI
> - Squid lookup IP for SNI (DNS resolution).
> - Squid forces the client to go to the resolved IP

AFAICT, the above strategy is in conflict with the "SECURITY NOTE"
paragraph in host_verify_strict documentation: If Squid strays from the
intended IP using client-supplied destination info, then malicious
applets will escape browser IP-based protections. Also, SNI obfuscation
or encryption may make this strategy ineffective or short-lived.

AFAICT, in the majority of deployments, the mismatch between the
intended IP address and the SNI/Host header can be correctly handled
automatically and without creating serious problems for the user. Squid
already does the right thing in some cases. Somebody should carefully
expand that coverage to intercepted traffic. Frankly, I am somewhat
surprised nobody has done that yet given the number of complaints!


HTH,

Alex.


More information about the squid-dev mailing list