[squid-users] Squid 3 SSL bump: Google drive application could not connect

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 31/12/2014 6:30 a.m., shawn wilson wrote:
> On Dec 30, 2014 8:57 AM, "Amos Jeffries" wrote:
>> 
> 
>> 
>> As bumping gets more popular we are hearing about a number of
>> services abusing port 443 for non-HTTPS protocols on the false
>> assumption that the TLS layer goes all the way to the origin
>> server without inspection. That has never been a true assumption,
>> CDN frontends have always decrypted.
>> 
> 
> OT but you use 443 because people expect it to be encrypted web
> data and don't block it. And DPI doesn't tell you anything more.
> 

"web" is no longer just HTTP and that is part of the problem. People
treating port 443 as if any of the "web" protocols can use it just by
being wrapped in TLS.

Port 443 is specifically registered for "HTTP over TLS" (aka HTTPS).
"Web" includes HTTP, but also includes protocols like RSS, WebSockets,
SPDY, QUIC, COAP, even IRC and Jabber at times.

The other non-HTTP protocols have other non-443 ports registered or
available for their use. Some like SMTP even switch their main port
between encrypted and non-encrypted as needed.

I know it can be hard to get unusual ports opened past firewalls, but
that is not being helped by everything using only a handful of ports.
[I have a long rant at this point about lazy corporates, but its 2015
in a few hrs so I'll drop it for now].

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUoz1SAAoJELJo5wb/XPRjjysH/0qwbyyOk8gIqziA5gU2h5FX
ztcvM6gMxNSUWkZ68Duc7MSP+5D5LfWpGUuGoIvsqV2ovMY5CT1hFKNsk/JyvAsH
NORSS1EYwns0z8ftlJi0h5//YdzFIVX5BAbGmDuUQuIsGcm3Yxjofn91YU4wlkM1
QfnPfBXRJKeXUkDaAsC+OiK1SgMpFb7WwGnbkqaTZZYM1qjETbWlujJGQK0Ipz+v
NIKATGdksa1cYxkb91J6G8Y9hJBAYkxMIQi1n+cvQ1ntDqBUn5bHK9LTS8/7Ledm
yzc27NNqHSgGY3FwfjNaHjIoNaJTukcH6WA/qBlJF4wz/uSZ/ZD4QMsGidmmNaE=
=JXLa
-----END PGP SIGNATURE-----